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We have examined the effectiveness of D. C. Chartered Health Plan, Inc.'s 
(CHARTERED) internal control over financial reporting as of December 31, 2005, based 
on the Committee of Sponsoring Organizations of the Treadway Commission's Internal 
Control Integrated Framework (COSO Framework). CHARTERED's management is 
responsible for maintaining effective internal control over financial reporting. Our 
responsibility is to express an opinion on the effectiveness of internal control based, on 
our examination. 

Our examination was conducted in accordance with attestation standards established by 
the American Institute of Certified Public Accountants and, accordingly, included 
obtaining an understanding of internal control over financial reporting, testing, and 
evaluating the design and operating effectiveness of internal control, and performing such 
other procedures as we considered necessary in the circumstances. We believe that our 
examination provides a reasonable basis for our opinion. 

Because of inherent limitations in any internal control, misstatements due to error or 
fraud may occur and not be detected. Also, projections of any evaluation of internal 
control over financial reporting to future periods are subject to the risk that the internal 
control may become inadequate because of changes in conditions, or that the degree of 
compliance with the policies or procedures may deteriorate. 

Our examination disclosed a number of material internal control weaknesses that are 
described in the accompanying text to this report. A material weakness is a condition that 
precludes the entity's internal control from providing reasonable assurance that material 
misstatements in the financial statements will be prevented or detected on a timely basis. 

In our opinion, because of the effect of the material weaknesses described in the 
accompanying text to this report on the achievement of the objectives of the control 
criteria, CHARTERED has not maintained effective internal control over financial 
reporting as of December 31, 2005, based on the COSO Framework. 

This report is intended solely for the information and use of the Government of the 
District of Columbia and is not intended to be and should not be used by anyone other 
than that specified party. 
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SECTION I: Description of Chartered Health Plan, Inc 



Chartered Health Plan, Inc. (CHARTERED), a wholly owned subsidiary of DC 
Healthcare Systems, Inc, is a private sector Health Maintenance Organization that 
provides managed health care services including health education and awareness, 
preventative and health maintenance services, and treatment for diseases and conditions. 
The company was created through incorporation in 1986 under the laws of the District of 
Columbia. CHARTERED earned 93% of its 2005 revenue from a contract with the 
Government of the District of Columbia's Department of Health to provide health 
services to Medicaid recipients receiving Temporary Benefits for Needy Family (TBNF) 
benefits. CHARTERED provides services to over 38,000 eligible members. 
CHARTERED fulfills it's contract requirements through a large network of 
approximately 1400 providers, 7 hospitals, and 54 primary care sites, which includes 
Chartered Family Health Center, Inc, another wholly owned subsidiary of DC Healthcare 
Systems, Inc. The contract with the district also requires CHARTERED to provide 
transportation services to Medicaid recipients; CHARTERED uses Rapid Transit, Inc., 
another wholly owned subsidiary of DC Healthcare Systems, Inc. to provide these 
services. 



SECTION II: Material Weaknesses 

For purposes of this report, a material weakness is a condition that precludes the entity? s 
internal control from providing reasonable assurance that material misstatements in the 
financial statements will be prevented or detected on a timely basis. 
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SECTION II 
Material Weaknesses 

Il-I Transactions with related parties are not supported by adequate documentation. 

During calendar year 2005, CHARTERED expended approximately $12.2 million of its 
total $92.7 million Medicaid contract operating expenses on transactions with businesses 
owned and controlled by the owner of D.C. Healthcare Systems, Inc., CHARTERED's 
parent company. No documentation was provided to evidence that these contracts were 
negotiated at arms-length and some of the payments appear to exceed amounts paid to 
unrelated parties for similar services. 

For instance, approximately $5.5 million was paid to Chartered Family Health Center for 
services at capitation rate s that were more than double the rates paid to othe r providers 
tor the same contracted service s. Also, $1,800,000 w as paid to its parent company for 
consulnng services which were said to be provided by CHARTERED's owner and 
another individual. However, we did not find adequate evidence to support these 
payments and they were not paid in accordance with the contracted terms. 

Finally, amounts paid for transportation services, rent, and other consulting and 
professional services were not supported by adequate evidence that the services were 
actually compensated at fair value. 

In addition to the concern relating to fair compensation, there is an inherent concern that 
related parties are not monitored and held to the same or higher contract compliance 
standards that is expected of unrelated parties. We noted no evidence on some of the 
contracts that CHARTERED monitored its affiliates' performances at levels that are 
adequate to ensure contract compliance. 

Recommendation: 

We recommend that all contracts with affiliates' for costs that are reimbursed directly or 
indirectly by third parties be reviewed and approved by an appropriate party who is 
independent of CHARTERED's owners and management. Also, an independent party 
should be engaged to monitor the contract compliance of affiliated vendors. 

II-II CHARTERED's control environment and risk assessment process needs to be 
improved. 

The first major internal control component described by the CO SO report is "Control 
Environment". Maintaining an effective Control Environment involves a number of 
conditions in the organization that ensures an attitude of discipline and commitment 
throughout the organization. Such conditions may include: 



❖ A functional and independent board of directors 
♦J* An audit committee 

♦I* An internal audit function ■ 

❖ A functional ethics policy 

We noted that many of the conditions required for an adequate internal control 
environment are not evidenced at CHARTERED. For instance, we were informed that 
the chairman personally reviews and approves some transactions after management's pre- 
approval. Such activity could lead to corporate policy or controls being overridden. 
Also, there is no functional audit committee or ethics policy. 

Recommendation: 

We recommend that CHARTER'S board of directors initiate actions to improve its 
internal control environment. Such actions may include the following: 

❖ Creation of a functional audit committee that selects and manages the external 
auditors and provides supervision and guidance to an internal audit function. 

<* Develop and enforce an effective ethics policy that requires annual certifications 
from key members of management. 

❖ Ensure that all internal and external audit findings are addressed on a timely basis. 
<♦ Establish policy to ensure that adequate internal control policy is implemented, 

the board of directors is not permitted to override policy, and establish a whistle- 
blowers hotline. 



II-III CHARTERED was unable to demonstrate that it has adequate controls over 
its IT Functions. 

As a part of our assessment of CHARTERED' s internal controls we requested its 
management to complete an Information systems capabilities assessment for managed 
care organizations, which is a questionnaire recommended by the Center for Medicare 
and Medicaid Services (CMS). Completion of this questionnaire is one of the first steps 
that CMS recommends as a part of an external assessment of an MCO's internal control 
systems. The form is designed for the MCO to document its key IT applications, 
infrastructure, and security over its computer systems. Although we requested this form 
on several occasions and were told that it was forthcoming, when the form was received, 
it was only partially completed. We did not receive any responses to our questions on the 
partially completed form. Additionally, during our review of the IT systems the 
individual with overall responsibility for the system resigned. 

CHARTERED 's inability or unwillingness to provide this data or equivalent data 
represents an inability to demonstrate adequate internal controls over its IT systems. 
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In addition, we were able to identify a number of internal control deficiencies which 
collectively represent a material weakness. These deficiencies are noted in appendix A to 
this report. 

Reco mm en dation : 



We recommend that CHARTERED obtain the resources and expertise to implement the 
recommendations in appendix A of this report. 



SECTION III: Reportable Conditions 



For purposes of this report, a reportable condition is a matter coming to our attention that, 
in our judgment, should be communicated to because they represent significant 
deficiencies in the design or operation of internal control, which could adversely affect 
the organization's ability to initiate, record, process, and report financial data consistent 
with the assertions of management in the financial statements. 



SECTION III 
Reportable Conditions 

General Conditions 



III-I No SAS 70 report is obtained from service centers responsible for processing 
claims and encounter data. 

CHARTERED has a significant portion of its claims and encounter data submitted to and 
partially adjudicated by two different service processors. As such, the internal controls 
over the receipt, processing, and summarization of the data received by those service 
processors reside at those service processors' locations. In addition, payroll processing is 
outsourced to a service processor whose responsibilities include generating various 
reports which are used to record payroll activities in the general ledger. 

CHARTERED has no documented procedures in place to ensure that the internal controls 
over the processing of their data by the service processors are adequately designed and 
functioning. 

Recommendation: 

We recommend that CHARTERED implement a process to ensure that the controls at all 
service processors who process data for it has adequate internal controls in place. At a 
minimum, CHARTERED should require all service processors obtain a SAS 70 audit of 
their internal controls design and operating effectiveness. 

III-II CHARTERED does not have a formalized policy to fairly allocate 
administrative support costs to affiliate*. 

During discussions with management, we noted there is no formal method for allocating 
employee time for those employees who are providing services to CHARTERED 's 
affiliates, D.C. Chartered Family Health Center and RapidTrans, Inc. CHARTERED 
provides human resources and payroll support to these affiliates. According to 
management, approximately 30-35 percent of CHARTERED 's Human Resources 
Department's hours are expended on the affiliates' activities. Based on employee wages, 
benefits, and payroll tax expense noted on the fiscal year 2005 trial balance, Human 
Resources Department expenses totaled $425,000,' of which, 30 percent equals $127,500. 
CHARTERED's management noted $45,000 were recorded for the Affiliates for 
administrative services provided. Management did not provide a basis for how the 
$45,000 was determined prior to the conclusion of our fieldwork. Based on our simple 
calculation above, which excluded payroll support related hours, there is a shortfall on 
the reimbursement of CHARTERED's administrative expense of at least $82,500. 
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Additionally, a review of timesheets noted that timesheets did not have the ability to track 
employee time by company serviced. 

Recommendation: 

We recommend that CHARTERED establish and implement an acceptable indirect cost 
allocation plan for reimbursement of administrative services incurred for services 
provided to affiliates. 

Claims and Encounter Data 

III — III Prepare and document formalized procedures to minimize fraud and 
inaccurate claims and encounter reporting by providers. 

Inherent in the Medicaid industry is a high risk of waste, fraud, and abuse; especially as it 
relates to payments to providers. Most health care insurance companies, such as the 
Blues, who compete in the market place primarily based on the cost of their product 
makes significant investments in initiatives to minimize these abuses. We were informed 
by one of the major Blues that they receive a return of $5 to $10 for every dollar spent on 
programs to minimize fraud and abuse. 

Although CHARTERED does utilize an Ingenix anti-fraud software application to review 
and analyze claim data, we believe that their fraud and abuse prevention initiatives could 
be stronger. 

Recommendation 

Internal desk reviews of selected services and provider site audits are required to prevent 
fraud and we recommend that the Plan conduct such audits periodically for all providersr 

HI - IV Prepare and document formal procedures for extraction and consistent 
reporting of claims payments and encounter data 

As a part of our testing of claims and encounter data, we requested a data file consisting 
of specific fields from the data base containing all claims paid in 2005 and all encounters 
in 2005. The file was requested to perform an analysis on the accuracy, completeness, 
validity, and occurrence of the data. We noted that CHARTERED had great difficulty 
providing an accurate, complete, and a consistent data file. In response to our request, we 
received a total of four data files from the Senior Information Systems staff. See Table 1 . 

The first file was unable to be analyzed due to an exportation error. The second claims 
data file, consisting of 707,059 records, $51,454,414 paid claims, and 36,883 unique 
members did not include transactions voided and reversed. The third claims "3ata file 
requested consisting of 772,028 records, $51,531,409 paid" claims, and 36,942 unique 
members did not include the field "Batch_Entry_ID", a field identifying the general 
ledger account(s) the individual claim is contained in. The fourth file requested contained 



879,753 records, $51,562,394 claims paid, and 36,945 unique members. This file 
contained the "Batch_Entry_ID" field, but also an additional field "Claim ID" added by 
the discretion of the programmer. We called a meeting with all CHARTERED personnel 
involved in the data file extraction to gain an understanding of the problem in pulling 
consistent files. CHARTERED management offered the following explanations for the 
differences in files; two different programmers basing the criteria for the query on 
different assumptions and that the extraction was pulled from two different data sources 
(MHC and a data warehouse). Millco preformed a comparative analysis on the files 
received and noted that the results of financial and non-financial data did not change by a 
material amount. 



Table 1 — Summary of Fiscal Year 2005 Paid Claims Data Files Received 



Version of File 


1 st 




3 ra 


4 th 


Number of Records 


Unable to 

Determine Accurately 


707,059 


772,028 


879,753 


Dollar Value of 
Claims Paid 


Unable to 

Determine Accurately 


$51,454,414 


$51,531,409 


$51,562,394 


Number of Members 


Unable to 

Determine Accurately 


36,883 


36,942 


36,945 



The inconsistency in the extraction of the data file raises concerns. The fact that the first 
file was pulled using an incorrect field separator is an indication of personnel without the 
appropriate expertise is performing critical processes. Secondly, the inconsistency in 
presentation of the claims information indicates an internal control weakness in the 
control environment being that formal procedures have not been developed. 



Reco m m end atio n : 

CHARTERED should develop and implement formal policy and procedures for the 
extraction of reports commonly used in normal business practice and reporting to external 
parties. Specifically, the criteria to extract the total amount of claims incurred during a 
given year and the number of encounters for a given year should be standard for all 
people responsible for extracting such reports from financial and non-financial systems. 
The information included in an extraction of a report should include all informational 
data fields necessary to trace to supporting documentation and summarization reports. 
The extraction should be executed on the same data store (e.g. Database or Data 
Warehouse). The information reported through the extraction should be complete and 
consistent regardless of who pulled it and when it was pulled. 

Ill - V Controls should be strengthened over payments to pharmacies. 

For year 2005, the total pharmacy expenditures included in CHARTERED's healthcare 
cost was approximately $9,400,000. CHARTERED makes bi-weekly payments to 
Caremark, the prescription drug benefit administrator. The bi-weekly payments take the 
form of wire transfers and the bi-weekly amount is based on a request that is faxed from 
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Caremark to CHARTERED. Caremark subsequently provides CHARTERED with a 
detailed bi-weekly report and monthly summary report. However, CHARTERED does 
not agree the bi-weekly wire transfer payments to the detailed monthly report. In 
addition, the cost amount included in the detailed monthly report is not confirmed to the 
agreed upon rates in the contract. 

Recomm endation 

We recommend that CHARTERED agree the bi-weekly wire transfer payment amounts 
to the detailed monthly report for all payments made. In addition, we 'recommend that 
CHARTERED confirm the rates used in payment processing to the agreed upon rates in 
the contract. We also recommend that CHARTERED implement procedures to ensure 
that Caremark maintain adequate internal control over the drug benefit administrative 
process. 

Ill - VI Certain costs are paid for and paid to Chartered Health Family Center 
that are charged to healthcare cost without supporting documentation. 

The Chartered Health Family Center (CHFC) is a wholly owned subsidiary of DC 
Healthcare Systems Inc, which is the par ent company of CHARTERED. CHARTERED 
pays CHFC a capitation rate of Sf49.44\per mem ber per month compared t o the lowest 
rate ot j>l"2.50 and the highest rate or $z!.S paid to other primary care centers. 
Documentation supporting the higher rate of &4^.44 was requested but has not been 
received. 

Other costs are absorbed by CHARTERED applicable to CHFC: l in addition to the 
capitation rate paid to CHFC, CHARTERED also incurs other CHFC expenses (i.e.: 
depreciation of leasehold improvements and medical equip ment) which are then included 
m CHARTERbD s lulal heallhcaie cusls. 



Recommendation 

We recommend that CHARTERED complete a cost benefit analysis of the capitation rate 
paid to CHFC and document the basis for the higher rate. We also recommend that 
CHARTERED identify expenses (incurred by CHARTERED) that are related to CHFC 
and adjust the capitation rate or arrange for reimbursement from CHFC. 

Ill - VII The number of enrollees in sub-capitation arrangements with PCP differ 
from the number of enrollees in sub-capitation arrangements with others. 

CHARTERED has sub-capitation arrangements with non-PCP vendors; for example, 
vision, dental care, and re-insurance. The membership number used in the monthly 
capitation payments to these vendors should relate to the total membership in 
CHARTERED. We were unable to reconcile the total number of members in sub- 
capitation arrangements to the total membership number. Documentation supporting the 
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determination of the monthly membership number used in sub-capitation calculations 
was requested but has not provided. 

Reco mmendation 

We recommend that CHARTERED confirm the number of enrollees in all sub-capitation 
arrangements. 

Payroll and Human Resources 

III - VIII Improve controls over Payroll and Human Resources Departments. 

During our review of CHARTERED Payroll and Human Resources Departments we 
noted the following: 

❖ There is no system in place to verify the accuracy of the information entered into 
the human resources system on a regular basis. No secondary review is 
completed once an employee is setup in the Human Resources database. In order 
to maintain effective control and accountability over the Human Resources data, 
CHARTERED must establish procedures to ensure that all critical information is 
entered accurately and that any discrepancies are discovered in a timely manner. 

❖ No formal written Human Resources policies and procedural manual was 
developed. A formal Human Resources policy and procedural manual will 
ensure, in the event of employee losses, an employee with the appropriate 
background will be able to perform HR functions with minimal loss of efficiency 
in the department. 

❖ Management was surprised by human resources personnel access to the payroll 
system. Management indicated that human resources staff does not have access 
to payroll system; however, we were able to observe a human resources personnel 
login into the payroll system. Our requests for a system generated user list for the 
human resources or payroll system were not received prior to the end of our 
fieldwork; therefore, we were unable to confirm the level of access human 
resources personnel maintained. 

*** Payroll checks are received from the payroll processor by the same employee 
responsible for submitting payroll data to the payroll processor. Adequate 
segregation of duties requires employees with responsibilities for processing 
payroll should be segregated from employees with the responsibility of 
distributing payroll checks. Proper segregation of duties will reduce the risk that 
fraud or errors will occur without being detected within a reasonable period of 
time. 

*> Documentation to support supervisor review of payroll expenses was not 
maintained. 

❖ Authorized wire requests are not maintained at CHARTERED. Accounting 
records should be maintained in centralized location to ensure the records can be 
retrieved in a timely manor. 
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Recommendation: 



CHARTERED should conduct a formal review of its policies and procedures to detect 
any deficiencies and/ or violations of its policies. Any noted deficiencies should be 
corrected within a reasonable period of time. 

Cash Disbursements 

m - IX Improve documentation and support over cash disbursements. 

During our testing of a sample of 40 expense transactions we noted the following: 



❖ No support received for 5 expenses; 

♦> 3 1 journal entry batch listings were not received; 

♦> 10 check request forms were not properly approved by the required parties; 

❖ No canceled check was provided for 2 expenses; 

❖ 2 expenses were not properly post to G/L; 

♦t* 1 check request did not properly note invoice was canceled; 



Recommendation: 



CHARTERED should take the necessary steps to ensure established policies and 
procedures are followed as designed. 
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APPENDIX - A 



Reportable Conditions Relating to 
Information Technology 
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Control Objective 1: 
Though CHARTERED has implemented 
security related personnel policies, we found 
instances where policies relating to the 
performance of background investigations, 
contacting references, and terminating 
employees were not complied with. 
Specifically, we found the following: 

• Background checks were not 
completed for six (6) out of ten (10) 
sampled new hires. 

• Reference checks were not 
completed for six (6) out of ten (10) 
sampled new hires. 

• Exit meetings were not documented 
for six (6) out of ten (10) sampled 
terminated employees. 

• There was no documentation of the 
return of company property for six (6) 
out of ten (10) sampled terminated 
employees. 


Policies related to personnel actions, such as 
hiring and termination, are important factors 
for information security. If personnel policies 
are not adequate, an entity runs the risk of (1) 
hiring unqualified or untrustworthy 
individuals, (2) providing terminated 
employees opportunities to sabotage or 
otherwise impair entity operations or assets, 
(3) failing to detect continuing unauthorized 
employee actions. 


CHARTERED should ensure that policies 
relating to hiring and termination of 
employees and contractors are fully 
implemented. 
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Control Objective 2: 

Though CHARTERED considers all data as 
high risk, there was no documentation to 
support how that determination was made. In 
addition, there was not consistency in the 
protection of all CHARTERED data in line 
with the level of risk. 


Classifying data and resources according to 
their sensitivity and criticality will ensure that 
resources are protected adequately with the 
most cost-effective controls. This will ensure 
that the most critical resources are subject to 
the strongest protective controls. 


CHARTERED should establish and document 
classification of resources and related criteria 
according to their levels of sensitivity and 
criticality. 


Control Objective 3: 

The authorization, documentation, and 
monitoring of access to CHARTERED' s 
computerized applications, Network and 
Medicaid data as well as procedures to sharing 
and properly disposing of data did not provide 
maximum security. Specifically, we noted the 
following: 

• Management could not provide 
evidence to show that accesses to 
CHARTERED' s systems {Network, 
MHC, Oracle, UNIX, and Remote) are 
reviewed periodically. 

• Though CHARTERED *s hard drives 
are required to be destroyed prior to 
disposal, there are no clear procedures on 
how to clear sensitive data and software 
contained on such hard drives. 
CHARTERED presently keeps old hard 
drives in a locked cabinet. 

• l^haiv i cxUjL' csoes not nave 
password control guidelines that spell 
out the minimum password requirements 
for CHARTERED systems. 

• Password security parameters are not 
enforced at the MHC application level. 


Lack of periodic review of accesses to 
CHARTERED systems increases the risk that 
unnecessary and terminated accesses will 
remain on the systems. The existence of 
unnecessary and terminated accesses could 
allow unauthorized accesses. 

Setting the Windows account lockout duration 
to any value apart from will enable 
unauthorized users who are locked out to wait 
for the lockout duration to expire and then 
retry. When the value is set to 0, the 
Administrator is required to re-enable the 
account before account lockout reset has 
expired. Also, disabling password complexity 
and network force logoff hours expire could 
increase the risk of unauthorized access to the 
network. 

If sensitive information is not fully cleared 
from hard drives, it may be recovered and 
inappropriately used or disclosed by 
individuals who have access to them. Thus 
this increases the risk of exposure of highly 
sensitive data and software stored on stored 
hard drives. 


CHARTERED management should 
implement controls to ensure that accesses to 
all systems are reviewed periodically and 
documented. The review should result in the 
deletion of terminated and unneeded accesses. 

The following Windows settings are 
recommended: Password complexity 
requirements should be enabled; Account 
lockout duration should be set to minutes; 
Network security: Force Logoff when hours 
expire should be enabled. 

CHARTERED should put procedures in place 
to clear sensitive information and software 
from computer hard drives when they are 
disposed of or transferred to another use. The 
responsibility for clearing information should 
be clearly assigned and standard forms or a 
log should be used to document that all 
discarded or transferred items are examined 
for sensitive information and that this 
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• 2 out of the 60 terminated employees 
still had active access to the MHC 
application. 

• 17 out of 60 terminated employees 
still had active access to the UNIX 
system. The accesses in MHC were 
deleted. 

• 2 out of the 60 terminated employees 
still had active access to the Sungard 
General Ledger System. 

• We found that the following 
Windows Domain settings were not 
consistent with best practice: 

• Password complexity requirements 
are not enforced (Recommendation - 
Should be enabled); 

• Account lockout duration is set to 60 
minutes (Recommended - Minutes); 

• Network security: Force Logoff 
when hours expire is disabled 
(Recommendation - Should be enabled). 

• 4 employees had not logged on to the 
network for at least 65 days. 
Additionally, 3 systems (FAX UM, 
FASSERVER, and exchsrv) have not 

i t /* 'ill 

logged on for a considerable amount of 
time. 

• Audit trail of the Oracle database 
system is not maintained 


The absence of adequate audit trails could 
limit CHARTERED 's ability to monitor 
compliance with security policies and 
investigate security incidents in Oracle. 


information is cleared before the items are 
released. 

The Oracle audit trail option should be 
activated to log user activity and changes to 
critical master files and tables. The logs 
should be reviewed periodically by the System 
Administrator. 


Control Objective 4: 













CHARTERED 's security policies and controls 
for ensuring the security of platform 
configurations and proper patch management 
of operating systems do not provide maximum 
security. We found that: 

• CHARTERED does not have 
baseline configuration guidelines for the 
UNIX operating system, Universe 
database, Oracle database, and Windows 
systems. 

• CHARTERED has not formally 
implemented patch management 
practices for Oracle as per the patch 
management policy. The current Oracle 
database version (8i) is not supported 
hence critical patches are not received 
from the vendor. 


The use of well-written, standardized baseline 
configuration can markedly reduce the 
vulnerability of exposure of IT systems. Its 
absence could result in the lack of baseline 
level of security to protect against common 
and dangerous local and remote threats and a 
consistent approach to securing systems. This 
could also result b significant delays in 
researching and developing appropriate 
security configurations for installed IT 
systems. 

Rv nsintr liniiirwinrtpr! Oraflp sv<:tfttn rritiral 

security patches may not be available from the 
vendor to remedy potential security 
vulnerabilities. 


CHARTERED should develop baseline 
configurations for all the operating systems 
and database systems. These include UNIX, 
Windows, UNIVERSE, and Oracle. 

Pl-T AT? TFR PFl <?hnii1H rnn*iir1f*r iincrraHintr fhp 

Oracle database to a version that is supported 
by the vendor. 


Control Objective 6: 

CHARTERED 's controls for authorizing, 
documenting, testing, and approving Medicaid 
application and related systems software 
development and maintenance activities had 
the following weaknesses: 

• CHARTERED has currently not 
developed a policy to include Internal 
Audit and/ or Security Management in 
the MHC software release 
implementation process to ensure that 
the new enhancements contain adequate 
internal controls. 

• Millco was unable to obtain 
evidence that the current review process 

j associated with the removal of 


Failure to include the internal audit or security 
management functions in the application 
software release implementation process 
increases the risk that potential security 
vulnerabilities in the new release may not be 
detected prior to implementation. 

Failure to formalize and document removal of 
unauthorized software form CHARTERED 
employees' desktops makes it impossible to 
prove that the control is being implemented. 
This introduces some level of risk given the 
highly sensitive nature of Medicaid data stored 
on CHARTERED systems. 


CHARTERED should develop a policy to 
require Internal Audit or Security 
Management in the MHC software release 
implementation process. 

CHARTERED should formalize and 
document the current unauthorized software 
review process to confirm that all software 
identified are indeed removed from 
employees' desktops. 
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unauthorized software from individuals' 
desktops is formalized or documented. 






Control Objective 7: 

CHARTERED 's configuration of the UNIX 
operating system, UNIVERSE database and 
the ORACLE database that store MHC claims 
data had the following weaknesses: 

• Password controls are not enforced 
at the Oracle database level. 
CHARTERED password controls are 
enforced at the network level. 

• An unjustified user account was 
assigned a default tablespace of 
SYSTEM in the DBA_USERS view. 
The account has since been deleted. 

• The UNIX system is not running a 
trusted mode. 

• Two root identification codes were 
assigned on the UNLX system. 

• 93 duplicate accounts existed on the 
UNIX system. CHARTERED agreed to 
delete them. 

• An unjustified generic account 
existed on the UND( system. 
CHARTERED agreed to delete the 
account. 

• Password is not enforced at the 
UNIVERSE database and UNIX 
operating system levels. 

• 5 R commands were running on the 
UNDC system. 


• Oracle password security is critical 
in ensuring the confidentiality and integrity 
of data stored in the database. 

• If a default tablespace is not 
specified when creating a user, the default 
tablespace is the SYSTEM tablespace and 
this could create security and data 
management risk. 

• A trusted HP-UX system maintains 
2 password files: /etc/pass wd and 
Tcb/files/autbV directory. HP-UX Trusted 
Mode enables support for shadow 
passwords and is a prerequisite for 
enabling password aging and kernel-level 
auditing. Without shadow passwords, an 
intruder could use any user's account to 
obtain hashed passwords and use crack or 
similar utilities to find easily guessed 
passwords. If the Tcb/fiies/auth/ directory 
exist, the system is running a trusted mode. 
If it does not exist, the system is not in 
trusted mode. 

• Any account with UID=0 would 
nave superuser privileges on tne system. 
The only superuser account on the system 
should be root. Multiple UID=0 
identification codes increase the risk that 
users have system access privileges that are 
not required for their job functions. In 
addition, unauthorized users who target 


The following minimum values are 
recommended for every oracle user's profile: 

> SESSIONS_PER_USER limited to 
one for most users 

> IDLEJTIME less man 15 to 30 
minutes 

> FAILED LOGIN ATTEMPTS = 5 

> PASSWORD_GRACE_TIME set to 
Oor 1 

> PASSWORD_LIFE_TIME set to 35 
days or less 

> PASSWORD_LOCK_TIME set to 
500 days or more 

• Each user should have a tablespace 
assigned to them. All accounts assigned a 
default tablespace should be justified. 

• CHARTERED should consider 
running a trusted mode given the sensitive 
nature of the Medicaid data 

• There should be only one root level 
identification code defined on the local 
UNIX server. 

• Duplicate UIDs should be deleted. 

• Unjustified generic user 
identifications should be removed from the 
password file. 

• CHARTERED should consider 
enforcing password controls at the 
UNIVERSE database and UNDC operating 
system levels. 



18 









• A Trivial File Transfer Protocol 
(TFTP) was running on the UNIX server 
without a secure option. 


privileged identification codes have 
multiple opportunities to gain root access. 

• Duplicate UIDs limit accountability 
on user actions performed while logged, 
even if the system is logging all events of 
the users. This increases the risk that 
unauthorized users will modify or delete 
files created by another user without being 
noticed. 

• Generic user identification codes 
limit accountability on user action 
performed while logged in as a generic 
user, even if the system is logging all 
events of the generic user. In addition, 
default generic users, such as the "guest" 
identification code are normally targeted 
by intruders attempting to gain access to a 
system. 

• The etc/default/security and 
etc/securetty files allow password 
parameters to be set for users when running 
an HP-UX trusted mode. Setting password 
parameters to reasonable values help 
discourage brute force password guessing 
attacks and minimize the risk of 
unauthorized accesses. 

• R-commands allow users to run 
commands on remote machines, login to 
other machines and copy files between 
machines. These services are historically 
risky and a target of attackers because of 
their weak authentication. For instance r- 
login does not necessitate the user to 
provide a user name. The system receiving 
the r-Iogin lets the user log in without 
password. 


• R-commands should be deleted from 
the system. 

• The TFTP (trivial file transfer 
protocol) should be disabled or should run 
with the secure option (-s). The -s option 
turns on socket-level debugging. 
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■ Use of TFTP increases the risk that 
unauthorized files are transferred across the 
network. For example, if the /etc/passwd 
file is transferred across the net, a user 
could run a cracker program on the 
password file and obtain unauthorized 
password. If there is no need to utilize the 
TFTP then it should be removed from the 
/etc/inetd.conf file. Otherwise, it should be 
restricted by invoking the -s option, which 
restricts its use to a specific directory. 




Control Objective 8: 
CHARTERED's controls for ensuring that 
adequate segregation of duties exists between 
various functions within Medicaid operations 
had some weakness. Specifically, the Senior 
Programmer/Unix Administrator currently 
perform conflicting functions and there is no 
evidence of an effective review process to 
mitigate this risk. 


Inadequately segregated duties increase the 
risk that erroneous or fraudulent transactions 
could be processed; that improper program 
changes could be implemented; and that 
computer resources could be damaged or 
destroyed. 


CHARTERED should implement and 
document a tormal review of the activities of 
the Senior Programmer/Unix Administrator. 


Control Objective 10: 

The following weaknesses were identified in 
the risk assessment and systems security 
program of CHARTERED : 

• CHARTERED has not implemented 
an independent risk assessment that 
considers data sensitivity and integrity 
and the range of risks to the entity's 
systems and data. 

• The Information Security Plan does 
not comply with best practices and the 
copy provided to us was in draft form 
and not approved by Management and 
was not current. 


A comprehensive high-level risk assessment is 
important because it helps make certain that 
all threats and vulnerabilities are identified 
and considered; that the greatest risks are 
identified; and that appropriate decisions are 
made regarding which risks to accept and 
which to mitigate through security controls. 

Without a well designed and approved 
security plan, security controls may be 
inadequate; responsibilities may be unclear, 
misunderstood, and improperly implemented; 
and controls may be inconsistently applied. 
Such conditions may lead to insufficient 
protection of sensitive or critical resources and 


CHARTERED should perform and document 
an independent risk assessment on a regular 
basis or whenever there is a significant change 
in its IT environment. The risk assessment 
should consider data sensitivity and integrity 
and the range of risks to the entity's systems 
and data. Further, final risk determinations 
and related management approvals should be 
documented and incorporated in the security 
plan. 

CHARTERED should document a security 
plan to cover all major facilities and 
operations and should be approved by key 
affected parties. The plan should be reviewed 
periodically and adjusted to reflect current 
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• CHARTERED could not provide 
documents to show how 
recommendations from previous security 
reviews and audits are tracked, 
implemented, and corrective actions 
tested. 

CHARTERED has not performed 
Certification and Accreditation for the 
MHC application. 


disproportionately high expenditures for 
controls over low-risk resources. 

Whenever significant weaknesses are 
identified, the related risks should be 
reassessed, appropriate corrective actions 
taken, and follow-up monitoring performed to 
make certain that corrective actions are 
effective. This is an important aspect of 
management's risk management 
responsibilities. 

By failing to perform Certification and 
Accreditation of the MHC application, 
CHARTERED may not accurately identify 
and assess information security risks that are 
essential in determining what controls are 
required for the MHC application. This could 
potentially impact the confidentiality and 
integrity of Medicaid data processed by the 
application. 


conditions and risks and should cover the 
following areas: (1) Rules of the system / 
Application rules (2) Training / Specialized 
training (3) Personnel controls / Personnel 
security (4) Incident response capability (5) 
Continuity of support / Contingency planning 
(6) Technical security / Technical controls (7) 
System interconnection / Information sharing, 
and (8) Public access controls. 

Management should ensure that 
recommendations from previous security 
reviews and audits are tracked, implemented, 
and corrective actions tested. 

CHARTERED should ensure that 
Certification and Accreditation of the MHC 
application is performed at least every 3 years 
or whenever there is a significant change in 
the IT operating environment. 


Control Objective 11: 

Though CHARTERED is in the process of 
developing a comprehensive Business 
Continuity Plan, the current regularly 
scheduled processes to support the continuity 
of operations (data, facilities, or equipment) 
had the following weaknesses: 

CHARTERED has not currently 
developed and implemented a Business 
Impact Analysis (BIA) for its Medical 
Health Care (MHC) application system 
as part of its contingency planning 


If service continuity controls are inadequate, 
even relatively minor interruptions can result 
in lost or incorrectly processed data, which 
can cause financial losses, expensive recovery 
efforts, and inaccurate or incomplete financial 
or management information. This is 
particularly critical given that 
CHARTERED' s Medicaid data is considered 
highly sensitive. 


CHARTERED should develop and implement 
a comprehensive Business Continuity Plan to 
include the following: 

• Business Impact Analysis 

• Periodic testing of off-site storage 

UdviVUU laUC'A, 

• Periodic testing of the disaster 
recovery plan and adjusting it as 
appropriate. 

• Procedures for recovering the MHC 
application and other systems in order of 
priority. 
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activities. 

CHARTERED has not currently 
developed and implemented policies and 
procedures for testing its off-site storage 
backup tape on a regular basis. 

• Wet Pipe sprinklers located in the 
CHARTERED' s data center should be 
capped. 

• Current MHC application 
Contingency Plan should be updated to 
reflect current condition, (i.e. migration 
from Novel to Windows servers, Identify 
strategies to recover MHC application, 
HP Unix OS, Windows OS, Oracle, and 
Universal data bases). 

• Current contract or interagency 
agreement between CHARTERED and 
Health Center does not exist for an 
alternate MHC application data 
processing facility. 

• The Health Center facility (North 
East, Washington DC) currently secured 
as an alternate site for processing data 
associated with MHC Medicaid Claims 
system is subject to the potential risk of 
being affected by the same natural 
disaster as the main MHC application 
process facility (North West, 
Washington DC) because of their close 
proximity to each other. 

• The First Federal offsite storage 
facility (Gaithersburg, Maryland) 
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An alternate data processing facility 
with documented agreement. 

Both offsite storage and alternate 
processing facility should be 
geographically separated from the 
CHARTERED primary site. 

Regular testing of all critical 
environmental controls to ensure that 
they provide adequate controls to critical 
IT resources in the data center. 
Specifically, the wet pipe sprinklers in 
the data center should be capped. 
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currently used for storing backup tapes 
associated with Medical Health Care 
(MHC) application, is subject to the 
potential risk of being affected by the 
same natural disaster as the main MHC 
application process facility (Washington, 
DC) because of their close proximity to 
each other. 

• CHARTERED does not inspect the 
only handheld fire extinguisher in data 
center on a regular basis. 
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SECTION I 



Introduction: 

The legislative power of the Government of the District of Columbia ("the District") is 
vested in the duly elected officials of the City Council ("the Council") pursuant to its 
Home Rule Charter, as amended. Among other conferred responsibilities, the Council 
annually determines, via an approved budgetary process, how tax revenues are to be 
appropriated for various local government services. Although the District is not officially 
a state under the Federal system of government, it maintains certain "state" functions 
including sharing in the contributions made by the Federal government's allocation for 
the provision of Medicaid services for individuals whose family (household) income falls 
below a predetermined threshold. The Council's committee system includes a Committee 
of Health ("the Committee") that provides oversight and works with the Council at large 
to fund various health-related programs and public initiatives on behalf of the District. 
Oversight of the Medicaid program falls under its jurisdiction. 

According to the District's Annual Medicaid Report, approximately 135,000 people are 
beneficiaries of the District's Medicaid Program. As a strategy to implement greater cost 
efficiency within the Medicaid program, the District, as well as other states, adopted an 
auto-assignment structure in which designated beneficiaries would be enrolled into 
capitated managed care organizations ("MCOs") authorized to provide insurance 
services within the District. Payments to each MCO is based on its assigned population 
count under a negotiated rate depending upon each beneficiary's sub-classification. 

During the Council's consideration of the 2006 fiscal year budget, members of the 
Committee expressed interest to the District's Medicaid program officials in identifying 
additional strategies to determine answers to the following questions: 

• Is it possible to compare the amount of capitation payments made to the three 
participating MCOs with the dollar amount of total services paid to each of the 
contracted health care providers to obtain an understanding of the disparity 
between the two figures? 

Are the MCOs spending capitated dollars on legitimate medical services, or are 
payments being directed to non-Medicaid related expenses? 

• Do the MCOs maintain effective internal controls within each of their relevant 
key business functionalities that are adequate enough to accurately report 
financial and encounter data results periodically to District officials? 

• Do the MCOs maintain effective internal controls within each of their relevant 
key business functionalities to mitigate the level of financial exposure caused by 
fraud, abuse, and waste? 

To answer these questions, the District engaged Milligan & Company to perform internal 
control assessments of the three Manage Care Organizations (MCOs) that are contracted 
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to provide medical care to the District's Medicaid population and to analyze the 
costs of providing care to the Medicaid population. 

We have issued under separate cover a report on D.C. Chartered Health Plan, Inc 's 
(Chartered) internal controls over financial reporting. * 

This report is intended to communicate our findings as a result of the procedures 
performed to analyze Chartered' s costs of providing services under its Medicaid contract 
with the District. 



Purpose and Scope: 

The overall objectives of our review were to review Chartered 's costs to determine the 
following, in comparison to Capitation payments received from the District for a 
specified period: 

• What were the total costs of providing health care services to their Medicaid 
enrollees? 

Were all costs classified as healthcare costs properly classified? 

What was the nature of administrative expenses incurred to manage the Medicaid 

program? 

Do the costs incurred appear to be fairly valued based on the benefits received and 
were the costs incurred for activities that provided benefit to the Medicaid 
enrollees, as would be expected by the District? 

Work Performed: 

We selected Chartered's Fiscal Year 2005 financial data to test because 2005 represented 
the latest year subjected to a financial audit by Chartered's external auditors. Using 
audited financial data provided greater credibility to the information that we were testing. 
Next, we separated the Medicaid related expenses from Chartered's total expenses so that 
we were only focusing on Medicaid related expenses. Chartered only had two major 
activities, the Medicaid activity and an "Administrative Services Agreement". The 
Medicaid activity represented the only contract that Chartered has to provide health 
services. This contract represented approximately 92% of Chartered's total operating 
expenses. The Aaministrative Services Agreement represented a separate contract that 
Chartered had with the District, to provide administrative services only, for the District's 
uninsured population. 

We noted that Chartered had a substantial number of financial transactions with 
companies that are owned by Chartered's parent company or the parent company's 
owner. Approximately $12 million or 13% of the expenses incurred on the Medicaid 
contract were spent with these affiliates. To the best of our ability, we identified all 
transactions with affiliates and reviewed those transactions to determine if they were 
conducted at "arms-length". We also sought to determine if the relationships with the 



affiliates were managed in a responsible mariner, consistent with what one would expect 
from a contractual relationship with an unrelated party. 

We extracted a data file containing all encounters and claims paid for the fiscal year 20Q5 
and tested as follows: 

• We attempted to reconcile the dollar value of claims paid per the file to the 
amount of claims reported as expensed in the audited financial statements. 

• We selected the twenty (20) largest claims paid for the year plus forty (40) 
additional claims selected at random for examination. 

• We traced the amount of claims back to providers' contracts to determine if the 
amount paid was consistent with contractual terms. 

• We also verified that the encounter data included with the claim was consistent 
with the data required by the contract that Chartered has with the District. 

We also tested the internal controls that Chartered has over payments made to providers 
for both sub-capitation and claims. The results of those tests are reported in our report on 
internal controls. 

We selected several adrninistrative cost items for examination that were of questionable 
benefit to the Medicaid program. 

Findings: 

Our findings were as follows- 

We fou nd sub stantial related party transactions which did not appear to have been 
conduct ed at arms-length . Many ot these costs appeared excessive. The exact 
fair value of these services provided could not always be determined within the 
scope of this engagement. Therefore, we took an approach that if the fair value of 
services actually received could not be supported we utilized the limited 
information that we had available to estimate the fair value. If monies were paid 
to a related party and no evidence was submitted to support that the services were 
needed and actually delivered, we assumed that these were unsupported or excess 
related party expenditures. 

Utilizing this approach, we identified $7,679,964 of related party expenses that 
we felt appeared potentially excessive or were unsupported. Chartered 's 
management indicated that the District was aware of many of the related party 
transactions and actually approved them. Therefore, the District should review 
these findings with Chartered to reach a mutual resolution. The details of these 
findings are presented in Exhibit B on page 7 of this report. 



Of the administrative expenses that we reviewed, we identified $470,343 of 
expenses, specifically "Contribution" expenses, that did not provide obvious 
benefit to the Medicaid prograrnT" These findings are presented in Exhibit C on 
page 8 of this report. 

Chartered's audited financial statements for 2005 showed pretax income on 
Medicaid activity of approximately 6.4% of Medicaid revenue. However, 
assuming that all of the costs identified as unsupported or potentially excessive 
were proven to be actually excessive, the profit would be approximately 15%. 




SECTION II: Exhibits 



Exhibit Descriptions: 

Exhibit A - Illustrates the total operating expenses, which include total healthcare 
costs and total general and administrative costs of Chartered as reported in their 
2005 financial statements. The healthcare costs are presented in detail based on 
the type of service provided. The operating expenses are further segregated by 
contract. 

In 2005, Chartered had two major activities, its Medicaid contract with the 
District and an "Administrative Services Contract." The Administrative Services 
contract is a separate contract with the District for which Chartered provides 
administrative support for the District's program to provide medical services to its 
uninsured population. Exhibit A separates Chartered's total operating costs into 
the two separate contracts. 

Exhibit B - Illustrates related party costs totaling $12,252,207 that we identified 
and reviewed. The schedule also illustrates our estimate of the fair value of 
expenses that Chartered's management supported and the amount of unsupported 
related party expenses. The estimate of fair market value was based on limited 
information that was available and is not intended to be specific. 

Exhibit C - Illustrates the Medicaid expenses per the trial balances adjusted for 
any unsupported related party expenses identified in Exhibit B and other 
questioned expenses noted. 
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Exhibit A: 



Total Fiscal Year 2005 Audited Operating Expenses By Contract 





1 


2 

Administrative 


3 = 1-2 




Total FY 2005 


Services 


Medicaid 




Audited Expenses 


Contract 


Contract 


Healthcare costs, net: 








Capitations - Primary Care 


$ 11,205,134 


$ 


$ 11,205,134.32 


Capitations - Health Education 


804,454 


- 


804,454 


Capitations - Lab 


(7,594) 


- 


(7,594) 


Capitations - Dental 


1,950,699 


- 


1,950,699 


Capitations - Vision 


398,759 


- 


398,759 


Capitations - Mental Health 


(9,935) 


- 


(9,935) 


Capitations - Transportation 


2,940,569 


- 


2,940,569 


Capitations - Nurse Triage 


332,370 


- 


332,370 


Capitations - Home Health 


(9,227) 


- 


(9,227) 


Capitations - PCP Incentives 


352,391 


- 


352,391 


Hospital Claims - Inpatient 


22,207,274 


- 


22,207,274 


Mental Health Claims - Inpatient 


1,711,487 


- 


1,711,487 


Hospital Claims - Physician Inpatient 


2,408,940 


- 


2,408,940 


Mental Health Claims - Physician Inpatient 


119,970 


- 


119,970 


Hospital Claims - Physician ER Visit 


5,854,770 


- 


5,854,770 


Hospital Claims - Outpatient Facility 


6,478,953 


- 


6,478,953 


Hospital Claims - Outpatient Professional 


1,349,800 


- 


1,349,800 


Mental Health Claims Physician Outpatient 


463,637 


- 


463,637 


Other Medical Claims - Mental Health 


18,330 


- 


18,330 


Specialist Claims 


4,271,033 


- 


4,271,033 


Other Medical Claims - Durable Medical 


896,341 


- 


896,341 


Other Medical Claims - Home Health 


383,838 


- 


383,838 


Other Medical Claims - Pharmacy 


9,434,341 


- 


9,434,341 


Other Medical Costs 


5,792,286 


- 


5,792,286 


Ambulance Service 


931,540 




931,540 


Reinsurance Expense 


509,860 




509,860 


Reinsurance Recoveries 


(297,177) 




(297,177) 


Coordination of Benefits - Subrogation Expense 


(507,142) 




(507,142) 


Coordination of Benefits - Subrogation Recoveries 


(15,961) 




(15,961) 


Provision for Incurred Claims 


346,195 




346,195 


ER Triage - Hospital 


10,440 




10,440 


Other 


1,439,403 




1,439,403 


Total healthcare costs 


$ 81,765,779 


$ 


$ 81,765,779 



General & Administrative costs: 

Capitations - Nurse Triage 249,020 249,020 

General & Administrative costs 19,896,137 7,546,807 12,349,330 

Other (1,439,403) (1,439,403) 

Total general & administrative costs $ 18,705,754 $ 7,795,827 $ 10,909,927 

Total operating expenses $ 100,471,533 $ 7,795,827 $ 92,675,706 
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Exhibits: 





| Review of Fiscal Year 2005 Related Party Expenses j 






3 

Medicaid 


4 

Total Related 
Party Expenses 


S 

Related Party Expenses @. 
estimated fair value 


e = 4-5 

Unsnpported 
Related Party 
Expenses 




healthcare costs, net: 
















Capitations - Primary Care 


I 


11,205,134 


$ 5,526,354 


S 


2,424,039 


S 3,102,315 


a 


Capitations - Health Education 




S04.454 


804,454 




*■ 


804,454 


b 


Capitations - Lab 




(7,594) 


- 




- 


- 




Capitations - Dental 




1,950,699 






- 


- 




Capitations - Vision 




398,759 


- 






- 




Capitations - Mental Health 




(9,935) 






- 


- 




Capitations - Transportation 




2,940,569 


2,940,569 




1,285,702 


1,654,868 


c 


Capitations - Nurse Triage 




332,370 


■ 




- 


- 




Capitations - Home Health 




(9,227) 






- 


- 




Capitations - PCP Incentives 




352,391 


• 




- 


• 




Hospital Claims - Inpatient 




22,207,274 


- 




- 


- 




Mental Health Claims - Inpatient 




1,711,487 


- 




• 


- 




Hospital Claims - Physician Inpatient 




2,408,940 


- 




- 


- 




Mental Health Claims - Physician Inpatient 




119,970 


- 




- 


- 




Hospital Claims - Physician ER Visit 




5,854,770 


- 




- 


- 




Hospital Claims - Outpatient Facility 




6,478,953 


- 




- 


- 




Hospital Claims - Outpatient Professional 




1,349,800 


- 






- 




Mental Health Claims Physician Outpatient 




463,637 


- 




- 


- 




Other Medical Claims - Mental Health 




18,330 






- 


- 




Specialist Claims 




4,271,033 


- 




■ 


- 




Other Medical Claims - Durable Medical 




896,341 


- 




- 


- 




Other Medical Claims - Home Health 




383,838 


• 






- 




Other Medical Claims - Pharmacy 




9,434,341 


- 




- 


- 




Other Medical Costs 




5,792,286 


- 




- 


• 




Ambulance Service 




931,540 


- 




- 


- 




Reinsurance Expense 




509,860 






- 






Reinsurance Recoveries 




(297,177) 


- 




- 


- 




Coordination of Benefits - Subrogation Expense 




(507,142) 


- 




- 


- 




Coordination of Benefits - Subrogation Recoveries 




(15,961) 


* 




- 


- 




Provision for Incurred Claims 




346,195 


- 




- 


■ 




ER Triage - Hospital 




10,440 


• 






- 




Other 




1,439,403 


- 






- 




Total healthcare costs 


$ 


81,765,779 


$ 9,271,377 


$ 


3,709,741 


S 5,561,637 




General & Administrative costs: 
















General & Administrative costs: 
















Questioned G & A costs: 
















Salaries & Benefits 




8.445,343 


127,500 




45,000 


82,500 


i 


Consulting 




1,177,124 


235,827 






235,827 


d 


Rent 




817,502 


817,502 




817 502 


- 


e 


Management Fee & Consulting 




1,800,000 


1,800,000 






1,800,000 


f 


Contributions 




470,343 












Total questioned G & A costs 

1 Olal \J Ot n 

Sub-total general Sc. administrative costs 
Other 

Total general & administrative costs 
Total operating expenses 




12,710,312 
C360 982*1 


2,980,829 




862,502 


2,118,327 






12,349,330 
(1,439,403) 


2,980,829 




862,502 


2.118,327 


$ 


10,909,927 


S 2,980,829 


I 


862,502 


$ 2,118,327 




92,675,706 


S 12,252,207 


I 


4,572,243 


$ 7,679,964 















See the legend on pages 9 & 1 for an explanation exhibits methodology and each alpha character tickmarlc 
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Exhibit C: 





Review of Fiscal Year 2005 Total Medicaid Expenses 






3 

Medicaid 


6 

Unsupported 
Related Party 
Expenses 




7 

Questioned Expenses 




8=3-6-7 
Adjusted 
Medicaid 
Expenses 


Healthcare costs, net; 


















Capitations - Primary Care 


$ 


11,205,134 


S 3,102,315 


h 


S 


- 




8,102,819 


Capitations - Health Education 




804,454 


804,454 


b 




- 




- 


Capitations - Lab 




(7.594) 


- 






- 




(7,594) 


Capitations - Dental 




1,950,699 


• 






- 




1,950,699 


Capitations - Vision 




398,759 


- 






- 




398,759 


Capitations - Mental Health 




(9,935) 


- 






- 




(9,935) 


Capitations - Transportation 




2,940,569 


1,654,868 


h 




- 




1,285,702 


Capitations - Nurse Triage 




332,370 


- 






- 




332,370 


Capitations - Home Health 




(9,227) 


- 






- 




(9,227) 


Capitations - PCP Incentives 




. 352,391 


- 






• 




352,391 


Hospital Claims - Inpatient 




22,207,274 


- 






- 




22,207,274 


Mental Health Claims - Inpatient 




1,711,487 


- 






- 




1,711,487 


Hospital Claims - Physician Inpatient 




2,408,940 


- 






- 




2,408,940 


Mental Health Claims - Physician Inpatient 




1 19,970 


- 






- 




119,970 


Hospital Claims - Physician ER Visit 




5,854,770 


- 






- 




5,854,770 


Hospital Claims - Outpatient Facility 




6,478,953 


- 






- 




6,478,953 


Hospital Claims - Outpatient Professional 




1,349,800 


- 






- 




1,349,800 


Mental Health Claims Physician Outpatient 




463,637 


- 






- 




463,637 


Other Medical Claims - Mental Health 




18,330 


• 






- 




18,330 


Specialist Claims 




4,271,033 


- 






- 




4,271,033 


Other Medical Claims - Durable Medical 




896,341 


• 






- 




896,341 


Other Medical Claims - Home Health 




383,838 


- 






- 




383,838 


Other Medical Claims - Pharmacy 




9,434,341 


■ 










9,434,341 


Other Medical Costs 




5,792,286 


- 






- 




5,792,286 


Ambulance Service 




931,540 


- 






- 




931,540 


Reinsurance Expense 




509,860 


- 






- 




509,860 


Reinsurance Recoveries 




(297,177) 








- 




(297,177) 


Coordination of Benefits - Subrogation Expense 




(507,142) 


- 






- 




(507,142) 


Coordination of Benefits - Subrogation Recoveries 




(15,961) 


- 






- 




(15,961) 


Provision for Incurred Claims 




346,195 


- 






- 




346,195 


ER Triage - Hospital 




10,440 


- 










10,440 


Other 




1,439,403 


- 






- 




1,439,403 


Total healthcare costs 


$ 


81,765,779 


S 5,561,637 




$ 




S 


76,204,142 


General & Administrative costs: 


















General & Administrative costs: 


















Questioned G & A costs: 


















Salaries & Benefits 




8,445,343 


82,500 


h 




- 




8,362,843 


Consulting 




1,177,124 


235,827 


h 








941,297 


Rent 




817,502 








- 




817,502 


Management Fee & Consulting 




.1,800,000 


1,800,000 


h 








- 


Contributions 




470,343 








470,343 J 






Total questioned G & A costs 

Total other G & A costs 

Sub-total general &. administrative costs 
Other 

Total general & administrative costs 
Total operating expenses 




12,710,312 
(360,982) 


2,118,327 






470,343 




10,121,642 
(3o0,9s2) 




12,349,330 
(1,439,403) 


2,118,327 




470,343 




9,760,660 
(1,439,403) 


$ 


10,909,927 


S 2,118,327 


s 


470,343 


$ 


8,321,257 


$ 


92,675,706 


$ 7,679,964 


s 


470,343 


$ 


84,525,399 

















See the legend on pages 9 & 10 for an explanation exhibits methodology and each alpha character tickmark. 
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Legend: 



Each exhibit contains numerical characters above each column containing dollar values. 
These numerical characters are used to illustrate the relationship of each column within 
and between each exhibit. For example, Exhibit A illustrates the numerical values in 
Column "3" will equal the value in Column "1" minus the Value in Column "2". 
Column "3" in Exhibit B represents amounts determined in Exhibit A for the same 
column number. 

Alpha tickmarks represent the following: 

a - The Chartered Health Family Center (CHFC) is a wholly owned subsidiary of 
DC Healthcare Systems Inc., which is the parent company of Chartered. During 
2005 Chartered paid CHFC Primary Care capitation payments totaling 
$5,526,354. The "Unsupported Related Party Expenses" amount of 
approximately $3,102,315 represents the capitation rate paid to CHFC ($49.44) 
less the highest rate paid to other primary care centers ($21.50) multiplied by the 
number of enrollee months of approximately 112,746 for fiscal year 2005. We 
requested but did not receive documentation supporting the higher rate of $49.44 
per member per month prior to the end of our fieldwork. 

b - In addition to the $49.44 per member per month paid to Chartered Family 
Health Center (CHFC), Chartered also paid approximately $804,000 to CHFC for 
health education to Chartered' s members. Per our conversation with the District's 
Actuarial Consultant, these costs are administrative should not be classified as 
healthcare costs. 

c - RapidTrans is also a wholly owned subsidiary of DC Healthcare Systems Inc. 
Chartered has contracted with RapidTrans to be the sole contracted provider of 
transportation services for Chartered's enrollees. Chartered pays a capitation rate 
to RapidTrans for each of its enrollees. The capitation rate increased from $2.95 
in year 2002 to $5.35 in 2005, an increase of approximately 81%. In addition, the 
2005 capitation rate increase was retroactively applied to 2004, which resulted in 
an additional $489,981.37 of costs being charged in 2005 for services incurred in 
2004. 

We were informed that the highest Taxi Cab rate in the district for a one way fare 
is approximately $19, compared to RapidTrans average one way cost of $36.12. 
RapidTrans indicated the $5.35 capitation represents fair market value, based on 
their comparison to one other transportation company and the amount that the 
District pays for similar services. We question if this cost is excessive when 
considering the cost of alternative transportation. In addition, we question the 
appropriateness of the retroactive effect of the agreement reached in 2005 
applicable to the entire year of 2004, which is included in the Plan's total 2005 
healthcare cost 

d - Chartered has an agreement with Thompson, Cobb, Bazilio and Associates 
(TCBA) for consulting services not to exceed $845,000. Although fiscal year 
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2005 expenses did not exceed $845,000, we were unable to verify that this 
contract was negotiated at arms-length. 

e - Chartered headquarters is owned by the DC Healthcare Systems Inc. for which 
Chartered remits lease payments. The lease is a triple net lease, which means all 
significant expenses are paid by the leasee. We did not question this cost; 
however, we saw no evidence that the lease was negotiated at arms length. 

f - Chartered paid $1.8 million for consulting services to its parent, DC Healthcare 
Systems Inc. The original agreement and first amendment were valid for 3 years 
(May 2000 through May 2003). A second amendment was not executed until 
November 8, 2006, that reflects the term of the agreement to be from May 18, 
2000 to May 17, 2007. Nonetheless, wire transfers were made in year 2005 
without a valid executed agreement. Documents have been requested but not 
received to support these costs and obligation. We did receive some information 
that indicated that some of these costs were for services provided by the CEO of 
TCBA, who is also the Chairman of Chartered. 

h - Amounts are carried forward from Exhibit B. 

i - As noted in comment III - II of the Report on Examination of Effectiveness of 
Internal Controls Over Financial Reporting, Chartered does not have a formalized 
policy to fairly allocate administrative support costs to affiliates. Human 
Resources Department personnel disclosed that approximately 30% to 35% of 
their time is spent working on Chartered's affiliates. Total human resources 
department salaries and benefits approximated $425,000, for which 30% 
amounted to $ 127,000. Chartered's management noted that only $45,000 was 
recorded as expenses incurred for its affiliates for all administrative services 
provided. Management did not provide a basis for how the $45,000 was 
determined prior to the conclusion of our fieldwork. Based on our simple 
calculation above, which excluded payroll support related hours, there is a 
shortfall on the reimbursement of Chartered's administrative expense of at least 
$82,500. This amount does not include administrative services for payroll and 
general administration. 

j - Chartered made several apparent charitable contributions to various 
organizations. One particular health center, the Whitman- Walker Clinic, received 
a contribution in the amount of $150,000, to support and keep that health center 
from closing it's business. Millco questions the benefit these contributions 
provide to the Medicaid program as a whole. 
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SECTION III: 
Exhibit D 



Introduction: 

At the request of the Government of the District of Columbia Department of Health 
Medical Assistance Administration, we have issued this addendum to our Report on the 
Review of Operating Expenses of D.C. Chartered Health Plan, Inc. issued April 2007 (the 
Report) to clearly illustrate the performance indicators for Chartered's fiscal year 2005. 
This addendum is intended to be read in conjunction with our Report. 

Definitions: 

According to the Centers for Medicare & Medicaid Services (CMS), one of the key 
means of measuring the performance of an MCO is their Medical Loss Ratio (MLR). 
CMS defines the MLR as the MCO's total cost for the medical services provided divided 
by the total revenue from monthly premiums. In addition to the medical costs, an MCO 
also incurs other business and administrative expenses. These costs are generally 
calculated as the Administrative Loss Ratio (ALR), which is general business and 
administrative expenses divided by the total revenue from monthly premiums. The ALRs 
are subtracted from gross profit to calculate operating profit. The operating margin is 
defined as the amount left over to pay interest, taxes, any dividends, etc. divided by the 
total premium revenue. ( 1 00% - MLR - ALR = Operating Margin) 

According to the District's actuary employed to calculate the premium capitation range, 
medical expenses represent those costs that represent medical service costs, including 
reinsurance premiums and the offsetting entry to reinsurance recoveries. Non-medical 
costs, including those incurred for utilization review, quality assurance, and medical 
management by the MCO and the Medical Director, are to be reported under the 
"Administrative Expenses." 

The CMS and actuary definitions noted above were used to determine the ratios 
calculated in Exhibit D. 



Legend: 

Column 3 and 8 are derived from page 8 of our Report. 

Column 9 reports expenses reclassified for the calculation of Medical Loss Ratio 
or Administrative Loss Ratio in accordance with CMS guidelines and the Districts 
actuary instructions. 
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Column 10 presents the difference between columns 8 & 9. 

Alpha tickmarks represent the following: 

k - Based on our discussion with management, this expense is for a nurse call 
service. The member would call and speak to nurses. The nurse would provide 
medical instruction until the person could see their physician. Also, members may 
call with general medical questions. It appears to be medical management which, 
based on the "Data Request" instructions sent to the MCO's from the District's 
actuary, would be considered as an administrative cost; therefore, we have 
reclassed these amounts to general and administrative costs. 

1 - We were informed that these payments were to encourage the physician to 
attend meetings and, more importantly, to submit encounter forms. According to 
the "Data Request" instructions sent to the MCO's from the District's actuary, 
"payments to incent providers to submit encounter forms" are administrative 
business expenditures; therefore, we have reclassed these amounts to general and 
administrative costs. 

m - For audited financial statements, Chartered reclassified medical 
administration cost from general and administrative cost to healthcare cost. These 
expenses include the cost for activities such as; utilization review, medical 
management, medical director, etc. Based on the "Data Request" instructions sent 
to the MCO's from the District's actuary, these expenses should be reported as 
administrative expenses; therefore, we have reclassed these amounts to general 
and administrative costs. 

Illustrations: 

Figure 1 highlights the differences noted between the performance of Chartered 's 
operations before and after our adjustments compared to industry standards. The industry 
results are derived from the Center for Health Care Strategies, Inc. Resource Paper: 
Profiting from Proficiency: The Growing Importance of Medicaid-Focused Health Plans, 
November 2003, which reported Medicaid plans on average had a MLR, ALR, and 
operating profit margin of 86%, 1 1%, and 3%, respectively. 

Figure 2 highlights the combined effects of the adjustments from columns 6 and 7 in our 
Report on the Review of Operating Expenses of D.C. Chartered Health Plan, Inc. issued 
April 2007 and column 9 of this addendum on the medical expenses, general and 
administrative expenses, and profit before interest and income taxes. 
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Exhibit D: 



D. C. CHARTERED HEALTH PLAN, INC. 


| Calculation of Significant Ratios and Average PMPM Reven 




& Expenses 




1 




3 


a 




9 




10-8-9 












Adjusted Medicaid 






Adjusted 


Reclasses for MLR & 


Expenses (MLR & 




Medicaid 


Medicaid 




ALR Purposes 




ALR) 


Healthcare costs, net: 














Capitations - Primary Care 


S 11,205,134 


S 8,102,819 


$ 


- 


J 


8,102,819 


Capitations - Health Education 


804,454 


• 




- 




- 


Capitations - Lab 


(7,594) 


(7,594) 




- 




(7,594) 


Capitations - Dental 


1,950,699 


1,950,699 




- 




1,950,699 


Capitations - Vision 


398,759 


398,759 




- 




398,759 


Capitations • Mental Health 


(9,935) 


(9,935) 




- 




(9,935) 


Capitations - Transportation 


2,940,569 


1,285,702 




- 




1,285,702 


Capitations - Nurse Triage 


332,370 


332,370 




(332^70) k 




- 


Capitations - Home Health 


(9,227) 


(SU27) 




- 




(9,227) 


Capitations - PCP Incentives 


352,391 


352,391 




(352,391) I 




- 


Hospital Claims - Inpatient 


22,207,274 


22,207,274 




- 




22,207,274 


Mental Health Claims - Inpatient 


1,711,487 


1,711,487 




- 




1,711,487 


Hospital Claims - Physician Inpatient 


2,408,940 


2,408,940 




- 




2,408,940 


Mental Health Claims • Physician Inpatient 


119,970 


1 19,970 




- 




119,970 


Hospital Claims - Physician ER. Visit 


5,854,770 


5,854,770 




- 




5,854,770 


Hospital Claims - Outpatient Facility 


6,478,953 


6,478,953 








6,478,953 


Hospital Claims - Outpatient Professional 


1,349,800 


1,349,800 




- 




1,349,800 


Mental Health Claims Physician Outpatient 


463,637 


463,637 








463,637 


Other Medical Claims - Mental Health 


18.33C 


18,330 




- 




18,330 


Specialist Claims 


4,271,033 


4,271,033 




_ 




4,271,033 


Other Medical Claims - Durable Medical 


896,341 


896,341 




_ 




896,341 


Other Medical Claims - Home Health 


383,838 


383,838 




- 




383,838 


Other Medical Claims - Pharmacy 


9,434,341 


9,434,341 








9,434,341 


Other Medical Costs 


5,792,286 


5,792,286 








J, /yZyZvw 


Ambulance Service 


931,540 


931,540 








931,540 


Reinsurance Expense 


509,860 


509,860 




■ 




509,860 


Reinsurance Recoveries 


(297 177) 


(297 177) 








(297,177) 


Coordination of Benefits - Subrogation Expense 


(507,142) 


(507,142) 








(507,142) 


Coordination of Benefits - Subrogation Recoveries 


(15,961) 


(15,961) 




- 




(15,961) 


Provision for Incurred Claims 


346,195 


346,195 








346,195 


ER Triage - Hospital 


10,440 


10,440 








10,440 


• Other 


1,439,403 


1,439,403 




(1,439,403) m 






Total healthcare costs 






j 


(2 124 tfi4*l 




74,079,978 


General & Administrative costs: 














General Sc. adminisfrative costs 


12,349,330 


10,121,642 








10,121,642 


Other 


(1,439,403) 






2,124,164 




2,124.164 


Total general & administrative casts 


S 10,909,927 


t 10,121,642 


i 


2,124,164 


S 




Total operating expenses 


i 92,675,706 


$ 86,325,784 


S 




$ 


S6.325.784 


Total Medicaid Revenue (Premium) 


S 99,048,249 








s 


99,U4B,24y 


Oneratinf Profit (before interest & income taxes) 


$ 6,372,543 








s 


12,722,465 


Operating Profit Margin (before interest &. income taxes) 


6% 










13% 


Medical Loss Ratio 


83% 










75% 


Administrative Loss Ratio 


11% 










12% 


Total member months during MCO fiscal year 


422,705 










422,705 


Average Medicaid Revenue PMPM 


$ 234 








s 


234 


Average Medical Expense PMPM 


% 193 










175 


Average G & A Expense PMPM 


$ 26 








% 


29 


Average Medicaid Operating Expense PMPM 


$ 219 








s 


204 



See the legend on pages I & 2. 
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Fi gure 1: 

Chartered Comparison to Industry 
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Figure 2; 



Distribution of Adjustments 




a Medical Expenses ■ G & A ■ Profit 



DC Chartered Health Plan, Inc. 
Response to Audit Findings Dated April 2, 2007 

II Material Weaknesses 

While Chartered Health Plan accepts the definition of a material weakness as posed by 
the auditors, however, it strongly objects to the suggestion that any of the items, sited 
herein, are, in fact, material weaknesses . Chartered maintains strongly that these findings 
emanate from the auditors lack of experience with managed care organizations and risk- 
based contracts with the District of Columbia and the Washington, DC healthcare 
marketplace. 

In our initial meeting with Mr. Milligan at Chartered, as well as subsequent 
conversations, Mr. Milligan readily admitted that his company had never previously 
audited a Medicaid managed care organization and that he and his staff would be learning 
about the industry while auditing Chartered. When his staff arrived, it became readily 
apparent that they had little familiarity with the industry. For example, they did not know 
what a CPT code was. Indeed, Chartered went so far as to lend the auditors reference 
materials to acquaint them with the requirements of the Health Insurance Portability and 
Accountability Act, known as HIPAA. This lack of familiarity also manifested itself in 
the following: the failure of the auditor to understand how to audit claims files and what 
a lag report is, resulting in multiple attempts to provide them with claims information; the 
failure of the auditors to understand the District's process for assigning members and its 
impact on the reconciliation of primary care capitation payments; and the failure of the 
auditors to understand the difference between a primary care provider and a full service 
health care center that provided a wide scope of health care services, including primary 
care to the disadvantaged. Other more experienced auditors, such as KPMG, audit 
Chartered 's claims files with relative ease. Chartered contends that it was this lack of 
familiarity that lead to the erroneous conclusions contained in the auditor's report. 

Since the Enron Scandal in 2002, national accounting firms have focused increased 
attention on issues involving related party transactions and Board operations. Yet, in 
spite of this increased attention, KPMG, which has audited Chartered since 2000, did not 
find any material weaknesses in Chartered' s internal controls, including any related party 
transactions or in Board operations. Furthermore, all related party transactions were 
conducted at fair market value and were consistently disclosed on Chartered' s audit 
financial statements, which were provided to the Department of Health. This lack of 
findings of material weaknesses by an auditor with eminent experience in Medicaid in the 
District and nationally underscores the difference that experience makes in evaluating 
internal controls. 

Significantly, Chartered' s contract with the District is a risk-based contract. That means 
that the District pays Chartered to provide health care services to Medicaid eligible 
residents. The District, in doing so, expects that Chartered will accept the risk that the 
cost of providing these services may exceed the actuarially determined amount that the 
District pays. The District understands that to the extent that Chartered pay less for these 
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services than established in the capitation, Chartered has the right to retain those funds 
and use them for its business purposes. As a consequence, the issues raised in this audit 
report regarding administrative services are of no concern to the District. Chartered' s 
administrative costs are below the actuarial determined amount and therefore are 
appropriate. 

Finally, Chartered is a privately held company. In that regard, the individual owner must 
be protected against risk and liability exposure. Most of the items mentioned in the audit 
report would be issues for the protection of the stockholders of a publicly-traded 
corporation. Since the sole stockholder of the corporation was fully aware of the related 
party transactions at issue here, there is no lack of consistent transparency and disclosure 
that would lead to the alleged material weaknesses and reportable events cited by the 
auditor. 



II-I Transactions with related parties are not supported by adequate 
documentation. 

In this finding, the auditors assert that transactions between Chartered Health Plan and its 
affiliated companies lack adequate documentation. Chartered does not agree with this 
finding because all transactions with related parties were: conducted at prices at or below 
fair market value prevailing rates properly documented in agreements between the parties 
supported by evidence that the services were rendered and received and appropriately 
disclosed to the Department of Health in Chartered' s audited financial statements, report, 
correspondence as well as disclosure during rate negotiations with the actuaries. 
Therefore, all contracts with Chartered and its affiliates were negotiated at arms length 
and in many instances the prices paid by Chartered were below prevailing market rates. 

The Chartered Family Health Center 

The auditors, first, challenge the primary care capitation rates paid to the Chartered 
Family Health Center (CFHC). While the capitation rates paid will be addressed more 
fully in Chartered 's response to Section III- VI below, it is important here to address, the 
lack of understanding that permeates these findings. Significantly, the CFHC is a full 
service health center located on Minnesota Avenue NE that is dedicated to serving over 
10,000 of Chartered' s members as well as others in the community who lack the 
resources to obtain health care. It is not merely a primary care provider. Indeed, no other 
provider in Chartered 's network provides the comprehensive services the CFHC 
provides. The center employs doctors, registered and licensed practical nurses, physician 
assistants, x-ray and sonogram technicians, pharmacists, receptionists, appointment and 
medical record clerks and management and administrative personnel. The CFHC 
provides primary and specialty health care to both adults and children as well as 
obstetrical and gynecological care, pediatric care, orthopedic care, and nutritional care. 
There is a fully stocked pharmacy on the premises as well as a facility for drawing 
medical samples for testing. CFHC also houses the WIC program, and serves as a center 
for training health care professionals. It also hosts health care education classes and other 
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community events for Chartered 's members. Equally as significant, in addition to the 
regular schedule of clinic appointments, the CFHC offers open access, or same day 
appointments to enrollees, which maintains physician and health staff availability when 
patients present, even though they may fail to appear. These additional services provide 
needed access for the Medicaid population, which has a high no-show rate for 
appointments, and helps to prevent more expensive emergency room visits and hospital 
stays. 0jr 



The uniqueness of the CFHC services and the role CFHC provides in a federally 
designated medically underserved community is the reason why the CFHC is more 
expensive to operate than a physician's office or even a Federally Qualified Health 
Center. The failure of the auditors to appreciate this operational reality of the CFHC or 
to even travel to CFHC and see first-hand how it operates, explains and underscores the 
deficiencies evident in their findings. 

Because of the extensive nature of the services provided at CFHC, the capitation rate paid 
by Chartered is higher than the rate paid to a primary care physician and other providers 
that do not exclusively serve Chartered' s members. The calculation on how the 
capitation was derived is addressed on pages 13-15 of this response. 

Furthermore, in 2002 Chartered decided to cease operating the CFHC and Rapid Trans 
because of the significant risk and malpractice exposure from providing healthcare and 
risk of a ccidents in transporting members from high crime areas. That risk was assumed 
by DC Healthcare Systems, Inc., the parent of Chartered. An example of this risk is the 
$60 million lawsuit that Chartered has been battling since 1997 against Dr. Hayes, the 
former lead physician at CFHC and the premier personal injury law firm of Jack 
Orlander. 

In 2002, Chartered as part of its decision to divert CFHC and Rapid Trans agreed to 
cover the cost of the $60 million litigation and that CFHC would bear the cost of settling 
a damage award from the massive litigation. Therefore, the liability for this lawsuit was 
downstreamed by Chartered to CFHC. Chartered has vigorously fought this lawsuit to 
defend itself and CFHC where the damage occurred. 

Based on the advice of legal counsel in 2003 and the fact that the liability insurance 
carriers for malpractice coverage were in bankruptcy, Chartered began to fund a reserve 
for self insurance for CFHC to cover the risk and exposure from this lawsuit and to build 
this into the rates paid to CFHC. The current estimate to settle this lawsuit ranges from 
the $4.5 million demanded by the plaintiff or up to $7.5 million if the case goes to trial by 
a DC jury. 

This pending lawsuit was disclosed to the auditor in our memo on the rate calculation for 
CFHC, but he did not follow-up with management to ascertain any of the details. 

Therefore, Chartered does not agree with the auditor's findings that amounts paid to 
CFHC appear to exceed amounts paid to unrelated parties for similar services, because 
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the auditor failed to consider the scope of services provide by CFHC, exclusively to 
Chartered members, the analysis performed by Chartered in developing the rate, the 
record of services rendered at CFHC, the comparative data with similar health centers, 
and the massive liability exposure faced by CFHC from the Hayes case. 

The auditor also questioned the $1.8 million paid to DC Healthcare Systems, Inc. 
(DCHSI), Chartered's parent company. This $1.8 million was reimbursement paid to 
DCHSI for consulting services rendered and reimbursement for administrative expenses 
incurred by DCHSI for Chartered and the debt service on the $3.5 million loan for the 
acquisition of Chartered in May 2000. Therefore, the auditor's statement that the $1.8 
million was totally for consulting services is erroneous. The consulting services rendered 
by DCHSI Chairman and its general counsel were billed at or below prevailing fair 
market rates and valuable services were rendered by both individuals to further 
Chartered's business objectives in accordance with the terms of the agreement with 
DCHSI and Chartered, were in fact paid in accordance with the terms of the contract and 
the services rendered are adequately documented and supported by the result generated 
for Chartered and the value received. 

The auditor's comments about transportation services, rent, and other consulting and 
professional services are misleading because all of the services were performed in 
accordance with the respective agreements and were paid by Chartered at or below 
prevailing fair market rates in al cases as further addressed below. Significantly, it should 
be noted that Chartered does not have a cost-plus contract with the Department of Health 
where administrative expenses are part of the cost calculation. It has a risk-based 
contract. Under these circumstances, administrative expenses are a multiple of medical 
expenses and calculated at 15%. Because Chartered's administrative expense is less than 
15%, the administrative expenses as a whole are clearly not excessive. 

The auditors go on to find that the transactions between Chartered and its affiliated 
companies are not arms-length transactions, however, the auditor fails to provide either a 
definition of what constitutes an arms-length transaction or to indicate how the 
transactions might have differed if an arms-length transaction had, in their definition, 
taken place. There are two important components to an arms-length transaction, both of 
which are clearly met by Chartered. The first element is disclosure which has 
consistently been adhered to by Chartered in audit reports to MAA, consequently, the 
Medicaid agency is very aware that the entities are affiliated. The second element is that 
the rate charged to Chartered is at or below fair market value as demonstrated by the fact 
that the related party's rates are at or below charges for such services in the open market. 
Again, Chartered consistently has provided evidence that its related rates are at fair 
market value. 
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Transportation Costs 



The first area challenged here are transportation costs. Apparently, the auditors challenge 
the amount that Chartered paid to RapidTrans for transporting its members. As indicated 
above, the District government is well aware that Chartered and RapidTrans are affiliated 
and know the rates that Chartered pays to RapidTrans to transport its members. To 
determine rates for RapidTrans, Chartered assembled comparative market data for non- 
emergent Medicaid transportation. As part of that analysis, Chartered compared the 
District, Maryland, Virginia, Delaware and US rates for non-emergent Medicaid 
transportation for the year 2001, the most recent data available. That analysis revealed 
that the RapidTrans rates are at or below rates from unrelated entities for similar services. 
A chart displaying the transportation data was provided to the auditors. The information 
provided also showed that in Fiscal Year 2005, the RapidTrans rate was almost V2 the 
non-emergent transportation expense for the Medicaid population in the District on a 
PMPM basis. 

However, there are customer service related issues here that because of the auditors' 
unfamiliarity with the District, they fail to fully grasp. Our members are challenged to 
respond promptly to pick-up times. RapidTrans is then in a posture of either leaving a 
member to miss an appointment or make other members late or miss their appointments 
altogether while they wait for a tardy member to appear. If the member misses a medical 
appointment, it may mean weeks or months to reschedule. RapidTrans is set up to 
respond to this with additional vehicles or other re-routing so that members can meet 
appointments and have access to care. Also, as indicated above, many of our members 
have large families and often appear with six (6) or more children without prior notice. 
Other transportation vendors that were considered to provide transportation services 
advised Chartered that they could not accommodate large families and that they could 
only transport two family members per trip. It should be noted that 33% or 10,689 of 
Chartered' s members were from a family size of 2 or more. RapidTrans' ability to 
handle large families at no cost is critical to Chartered's ability to meet its members' 
health care needs. 

The detail analysis and price comparison with other vendors of prices and scope of 
services and limitations including the risk of unreasonable price escalations clearly 
documents that the transportation expense meets the fair market value test. Chartered has 
learned that the auditors believe that the Medicaid members transported by the District 
were sicker than Chartered members were, but they offer no proof that is the case. One 
has to question, why they accept this assertion with no documentary support, but 
challenge Chartered's documentation when it includes the annual report of a District 
agency. 

The Payments to the Holding Company 

The second issue here is the rent that Chartered pays to the holding company. In 2005, 
Chartered paid DCHSI $25 per square foot for its office space pursuant to a triple net 
lease. Similar to the transportation example, Chartered meets the arm's length 
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transaction test. For example, the rent paid is comparable to rents in the area market. In 
fact, at its old location, 820 First Street, NE, Chartered was paying $25.90 per square foot 
for basement level space for some of its space and $27.68 and $33.29 per square foot 
additional space that it acquired to meet is operation needs, also a triple net lease. 
Chartered also compared the rent charged by DCHSI to other rents in the area. 
Comparable rate and proposals received by Chartered from other landlords were as 
follows: 



• 1400 K Street NW $38.50 per square foot; 

• 1 129-20* Street NW $35.00 per square foot; 

• 1 155 15 th Street NW $38.50 per square foot; and 

• 501 Third Street NW $38.00 per square foot. 

Chartered information in this regard was available, but the auditors never asked for it, and 
again the auditors drew their conclusions without critical information, leading to their 
erroneous material weakness finding. This finding is just not accurate . 

The auditors also question the consulting and professional fees charged to Chartered by 
the affiliated entities. While they are not explicit in their allegations, we must assume 
that they are referring to the fees charge by the DCHSI and by Thompson, Cobb, Bazilio 
& Associates for management consulting services. Once again, we are constrained to 
point out that these are adniinistrative costs and not germane to the medical costs issues 
that should have underlain this audit. The rates charged by DCHSI to Chartered includes 
the management and consulting fees for two individuals, the Chairman and legal counsel 
who assumed other duties and also the fees charged by other independent vendors for 
work done for Chartered. 



The Chairman's time was charged at $198 per hour and counsel's time $205 per hour. 
As noted above, fair market values are that which are at or below charges for such 
services in the open market. The Chairman's time is below what he charges in his work 
as a Partner at Thompson, Cobb, Bazilio & Associates, PC (TCBA), an accounting firm. 
Mr. Thompson's General Services Administration rate is $231.86 per hour. On the GSA 
Schedule, on which the Chairman's firm is listed, accounting firm partner rates are from 
$172 to $296 per hour. The Chairman's rate for non-government work is $225 per hour. 
KPMG, Chartered' s external auditors' standard billing rates for a partner is $700 per 
hour, a senior manager is $600 per hour, and a senior accountant is $375 per hour. 
Counsel's time was billed at $205 per hour. At his previous firm, counsel's time was 
billed at $325 per hour in 2002. Furthermore, at present, Chartered pays law firms, such 
as Epstein, Becker & Green between $360 and $400 per hour for attorneys with the same 
experience as its counsel and Feldesman Tucker between $250 and $315 hours for 
attorneys with less experience. 

Chartered also regularly pays other independent consulting firms between $110 and $360 
per hour for other consulting services. It is clear from the foregoing that Chartered 
obtained more than fair market value for the services rendered by the DCHSI personnel at 
issue here. 
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The auditors also claim that no evidence was present to support that services were 
actually performed. However, the auditor never examined evidence of work products 
when it was provided to them concerning the valuable work performed by TCBA and by 
DCHSI, which is adequately documented and explained in inforrnation provided to the 
auditor. It follows, then, that their claim that no documentation to support these fees was 
presented is without merit. If it mattered to them, they should have requested it. 

In sum, the auditors' claim that Chartered' s transactions with its affiliates were 
undocumented and does not provide fair value is clearly erroneous. Chartered does 
document it transactions. The relationships between the parties are well disclosed to the 
District government and the rates charged were well within what is charged in the 
marketplace for similar services. 

With respect to the auditors' recommendation, Chartered respectfully disagrees. All 
related party transactions meet the fair market value test and were adequately disclosed. 
Moreover, the auditor has not provided a test for fair market value to show that 
Chartered's analysis of open market prices in invalid. The review of transactions between 
affiliated companies is designed to ensure that investors and third parties are fully aware 
of what happens and conduct their affairs accordingly. With respect to the transactions 
here, all of the interested parties were aware of the transactions and the investor approved 
them. There was full disclosure and approval. Moreover, Chartered is audited by KPMG 
each year and supplies that audit to MAA. All of the reportable transactions are in that 
audit. This audit and the fair market value comparison is all that should be required for 
an organization of this type. Furthermore, Chartered's rates are negotiated and approved 
by MAA's actuaries and Chartered actuaries. This recommendation again demonstrates a 
fundamental lack of understanding of the industry and the nature of this contract. 

II-n CHARTERED'S control environment and risk assessment process need 
to be improved. 

Chartered is at a loss to understand the nature of this finding. Chartered does have 
internal controls and maintains an internal control environment. With respect to the 
recommendations, Chartered would point out initially that again, Chartered is a privately 
held company and much of the discussion related to public held companies or not-for 
profit entities. Also, as indicated above, Chartered's activities are audited each year by 
KPMG and they have not noted the deficiencies that the auditors here have indicated, and 
unlike these auditors, KPMG has considerable experience auditing managed care 
organizations. 

However, with regard to the requirements for control environment, Chartered already has 
these elements. Chartered has a Board of Directors that is comprised of individuals who 
are not employees and who have extensive health care and business experience. 
Chartered also has an Internal Auditor. Chartered also has a Code of Conduct that every 
employee signs when hired and is reinforced in the new hire orientation as well as regular 
staff meetings. In addition, selected staff, including all claims staff, receives additional 
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Fraud, Waste, and Abuse training provided by Ingenix to enhance their ability to detect 
this type of conduct when it occurs. 

Also in the report, the auditors suggest the Chartered obtain a "whistleblowers hotline." 
However, Chartered has an established Compliance Hotline maintained by National 
Hotline Services, Inc. The number, 1-800-688-2594, is given to employees when they 
are hired, appears on Chartered' s internal and external websites, and is in our member 
and provider handbooks. The reports from the hotline go to both the Compliance Officer 
and the Internal Auditor and the reports are kept in a log. 

Chartered also has an established ethics policy for all employees including senior 
management. 

Chartered admits that it does not have a separate audit committee, but no current 
employees of Chartered sit on the Board and therefore, the reports of the external auditors 
are in no way hindered. Also, both the Compliance Officer and Internal Auditor have the 
capacity to speak directly to the Board regarding any control issue. However, Chartered 
will investigate the merits of an audit committee. The other recommendations are totally 
without foundation or merit. 

II - III CHARTERED was unable to demonstrate that it has adequate controls 
over IT Functions 

In November 2006, Samlin Consulting Services (Samlin), a sub-contractor to Milligan 
and Company started the internal control and Information Technology (IT) fieldwork at 
Chartered. Chartered personnel were assured at the kick-off meeting that the auditors 
would finish their fieldwork in 2 -3 weeks. Chartered made all parties aware that 
between January 1 and May 1 , it had a number of significant activities to perform, many 
required by contract and law while others were imposed by MAA and would have limited 
ability to respond to the auditors' requests. 

Nonetheless, Chartered's IT staff spent a significant amount of time with the auditors 
walking them through the managed care main frame systems, the processes and the 
functionality of IT operations, including security. After four (4) weeks of intensive 
fieldwork, Samlin introduced the CMS Information System Capabilities Assessment for 
Managed Care organizations questionnaire and expected Chartered to complete it. The 
questionnaire contains over 45 pages of questions that were redundant to information 
already provided to Samlin. As our expectation was that the field work should have been 
completed, and Chartered' s IT staff was supposed to move on to their other critical tasks, 
Chartered discussed the reason for not receiving the questionnaire at the beginning of the 
fieldwork rather at what Chartered concluded was the end of the process. This would 
have saved time; however, Mr. Samlin stated that they just got the CMS questionnaire, 
and it was not available to them at the beginning of the fieldwork. Chartered discussed 
the possibility of Samlin completing the questionnaire with the extensive information that 
they gathered in the past weeks of fieldwork. This would have afforded Chartered' s IT 
staff the opportunity to move on to focus on HEDIS Measures for 2006, continue with 
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NCQA accreditation preparation and the year-end closing processes. Samlin refused this 
request, and in February of 2007, Mr. Samlin called and requested the completed 
questionnaire. Although, he was told that the questionnaire was not complete, Chartered 
advised him that the missing areas were covered in the iirforrnation that had been 
provided during their fieldwork. Mr. Samlin asked that the questionnaire be sent to him 
and that he will let Chartered know if he required any additional information. Chartered 
submitted the questionnaires to the Samlin on February 22, 2007. Chartered heard 
nothing further from Mr. Samlin. 

Despite all the urgent matters and the important deadlines that Chartered was facing with 
MAA, and NCQA, Chartered spared no efforts to accommodate, educate and guide the 
audit team to understand Chartered 's custom tailored Medicaid managed care system. 
However, the statement in Section II —III of the audit report " Chartered' s inability and 
unwillingness to provide this data or equivalent data represents an inability to 
demonstrate adequate internal controls over its IT systems" is unfounded and untrue. 
Chartered provided the equivalent data before the questionnaire was even presented. The 
problem rested in the lack of preparedness of the auditors to conduct the audit, not in 
Chartered' s unwillingness to provide information. 

In addition, please find attached Chartered response to the deficiencies noted on 
Appendix A by Control Objective. 

KPMG, Chartered 's auditors audits our IT controls and have made recommendations that 
were implemented by management. But the findings detailed in this report are 
unsupported and inconclusive in many respects. Chartered will review them and where 
warranted will implement corrective measures. 

SECTION III: Reportable Conditions 

III-I No SAS 70 report is obtained from service centers responsible for 
processing claims and encounter data 

SAS 70 audit reports on the internal controls of service centers that process data for 
Chartered may be helpful to Chartered' s auditors in the evaluation of the overall system 
of internal controls. However, our external auditors, KPMG, and other auditing firms 
have reviewed and evaluated our internal controls and did not request such reports. 
Although we feel that there are substantial controls over the data processed by service 
centers, we will ask them to provide SAS 70 reports, which we will make available to our 
auditors 

III-II CHARTERED does not have a formalized policy to fairly allocate 
administrative costs to affiliates. 

This finding is not accurate. As we demonstrated to the auditors, Chartered has a 
reasonable and established method of allocating any cost for services rendered by 
Chartered to its affiliates. The following is the brief description of the methodology that 
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Chartered uses to bill for the administrative support services in handling of the payroll, 
employees benefits, accounting and other related administrative services: 

"Chartered shall estimate a percentage of each of its employee's time spent/incurred 
to provide the administrative services to affiliates and, based on that estimate, charge 
affiliates for a correspondent percentage of the employee's base salary, plus 30% for 
estimated payroll taxes, fringe benefits and overhead costs, plus 10% margin fee." 

This process was documented and covered in a Memorandum of Understanding (MOU) 
dated January 23, 2003. 

Based on the above, in 2005, Chartered billed RapidTrans $45,169.48 (Based on the 
auditors' request on March 30, 2007, a copy of this bill was provided to auditors on April 
2, 2007). Also, in 2005 Chartered billed Chartered Family Health Center $73,335 for 
administrative and accounting functions, in accordance with Chartered's formal 
methodology for allocating costs to affiliates. 



III-III Prepare and document formal procedures to minimize fraud and 
inaccurate claims and encounter reporting by providers 

Chartered Health Plan has a Compliance Plan that addresses fraud, waste, and abuse. 
The essential elements of a Compliance Program include the following: 

• A Compliance Committee that meets regularly to provide compliance oversight- 
Chartered has such a committee; 

• A Compliance Officer who is a member of senior management- Chartered has 
such an officer who has direct access to the Board of Directors; 

• A Compliance Plan- Chartered has a compliance plan 

• A Code of Conduct that includes a statement that employee will not be sanctioned 
for reporting Fraud, Waste, and Abuse - Chartered has such a plan and has 
employees sign that they have received it. 

• Employee Training- Chartered has a new employee orientation where the 
provision of the Code of Conduct, as well as what constitutes Fraud, Waste, and 
Abuse are discussed. There is also additional focused training on Fraud detection 
and HIPAA provided as well as recent courses in coding; 

• Policies and Procedures which require employees to immediately report suspected 
instances of fraud- Chartered has such policies; 

• Background checks on employees- Chartered conducts an initial background 
check when an employee is hired and Chartered now conducts an annual check of 
criminal and OPM disbarment records to ensure that no employee has been bared 
from federal programs or convicted of a crime that would effect employment; 

• Policies that require medical providers to disclose adverse actions against them by 
public entities or accrediting bodies- This is in Chartered provider contracts and 
Chartered check the status of providers with these entities on a regular basis; 
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• Performance evaluations - Chartered has a performance evaluation process for 
employees, including senior management; 

• Risk Assessment- The Compliance Committee, the Quality Management 
Committee, and the Board regularly review risk areas; 

• Annual approval of the Compliance plan - The Board has commenced approving 
the Compliance Plan effective this year. 

In addition, as Chartered demonstrated to the auditors, it has extensive protocols in 
addition to the Ingenix product that it uses to detect any claims waste, fraud and abuse. 
All Chartered's claims are adjudicated with 3 levels of audit; 1) "Auto Audit" software to 
detect any outpatient bundling and unbundling of services by CPT code based on the 
AMA rules of coding and billing for services; 2) "Charge Master" audit of all inpatient 
claims to determine that all billable services are appropriate and in accordance with CMS 
allowable billable services and 3) Manual Claims Audit by internal claims auditors. In 
addition, Chartered has contract with IHAS to perform on-site hospital audits of certain 
inpatient charts. 

In 2005, as a result of these claims audit protocols, Chartered recovered $3.79 
million that reduced the total claims cost and healthcare costs. 

One of the auditors' concerns is that they believe a major portion of Chartered's health 
services are provided through an affiliate. This is not true. Chartered pays less than 12% 
of its total medical cost to RapidTrans and Chartered Family Health Center, and the 
majority of these payments are in monthly capitation which down streams the total risk to 
these entities. 

Also, Chartered is aware that there are two major concerns with managed care fraud. The 
first is underutilization and the second is prescription drug fraud and abuse. Based upon 
credentialing reviews in 2005, Chartered commenced programs to address both issues in 
2006. Chartered now reviews narcotics utilization on a monthly basis to identify 
potential instance of fraud and abuse by members, providers, and/or pharmacies. 
Chartered has reported potential fraud cases to MAA and addressed the issues of abuse 
with such success that only two individuals out of more than 20 still have serious issues 
today. Second, with regard to underutilization, based on 2005 data, Chartered 
commenced a program to identify members who had not seen a physician in the 
preceding 12 months and made outreach effort to have that member access care or to 
address any barriers that the member might face. This effort resulted in a 2007 
reorganization of Chartered to focus more of preventive efforts. All of this emanated 
from Chartered Compliance program which cannot be considered inadequate. 

Finally, Chartered is reviewing the services provided by Ingenix and other potential 
vendors to determine whether there is a more cost-effective fraud detection program 
available. This is a clear indication that Chartered's program is vibrant and aggressive in 
its nature and has resulted in significant cost savings and recovery. 
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m - IV Prepare and document formal procedures for extraction and consistent 
reporting of claims payments and encounter data 

We disagree entirely with this finding. The auditors did not include all the facts 
surrounding their audit of this area in their report. Their objective was to reconcile the 
detailed claims cost to the amount recorded on the General Ledger and determine the 
number of encounters in 2005. The standard practice used by experienced actuaries and 
auditors would be to reconcile the lag report's paid claims data to total annual claims 
recorded on the general ledger. Then claims cells from the lag report would be 
reconciled to the detailed claims paid file. Since the auditors were unfamiliar with the 
nuances of claims processing and lag reports, we made considerable efforts to assist them 
in grasping the related concepts. However, they did not accept our advice and took 
another approach. 

The following represents a true chronological account of the requests from the auditors 
and our responses: 

■ The disk noted in the finding as the first file is not, indeed, the first file on CD that 
was provided to the auditors. The initial request for claims data was made on 
February 14, 2005. The auditor requested claims data for all dates of service 
(DOS) in calendar year 2005. The first CD of Claims we provided to the auditors 
was extracted by Information Systems (IS) and reviewed by the auditors. IS and 
Finance were informed that the data did not match the claims lag reports for the 
year. Finance explained to the auditors that the lag report is on a "paid basis" and 
the data they requested was based on DOS. 

■ They requested a 2 nd CD consisting of all claims in calendar year 2005 based on 
paid dates, including all lines, e.g., procedures, etc. The second CD was created 
with this data, as requested, and provided to the auditors. The auditors 
complained that the CD included incorrect field separators, while in fact, these 
were "Time Stamps." The auditors asked us to explain this file and the field 
separators, which they believed to be incorrect data. We determined that the file 
was correct and that the auditors did not want the date stamp data associated with 
each line. This was corrected and a third CD was presented to the auditors on 
March 1,2007. 

■ After further discussion with the auditors to assist them in analyzing the data, IS 
determined that the auditors would need additional information (claims reversals) 
that was not mentioned in their original request. A fourth CD of paid claims lines 
with reversal data was created and delivered on March 7, 2007. This, however, 
was once again deemed insufficient by the auditor. 

■ Another conversation between IS staff and the auditors ensued, after which, it was 
decided that zero-dollar claims should be included to ensure that the auditors 
could determine accurate encounter data. This was not a part of their original 
request, again demonstrating their lack of understanding of their objectives and 



Page 12 



the claims payment process. A final (fifth) CD was created covering all claims, 
including zero-dollar claims. This CD was delivered on March 22, 2007, with the 
full understanding that it would require more effort on the part of the auditors to 
drill down to a sample based on individual claims. 

" At this point, the auditors questioned why the number of claims increased from 
approximately 770,000 to approximately 880,000. We explained that each row in 
the file does not represent a claim, and that both files contained the same data, 
only in a different display format. To demonstrate this, we produced a report 
from the file showing 321,300 unique claims paid for the calendar year 2005. 

The apparent reason for the creation of so many CDs was the inexperience of the auditors 
in auditing claims data in a managed care environment. If they had explained to us what 
they wanted to audit, we would have extracted the pertinent data elements needed to be 
included in the file, in which case, only one CD would have been needed. In fact, the 
auditors admit in their report that there was no material difference in the financial and 
non-financial data between the files produced. 

According to the auditor's finding on page 10: "Millco performed a comparative analysis 
on the files received and noted that the results of financial and non-financial data did not 
change by a material amount". Then, the report on page 10 contradicts the above 
statement by alleging an inconsistency in extraction of the claims and encounter data 
files, while, in fact, the inconsistency was created as a result of the multiple data requests 
by the auditors. 

Concerning the auditor's recommendation, we have formal procedures for extracting data 
from the claims system for internal and external reporting purposes. However, the 
information requested by the auditors would be classified as ad hoc, at best. While we 
have standards for ad hoc reporting, the accuracy of the reports depends on the clarity and 
completeness of the request. The auditors did not understand what information they 
needed from the claims system to satisfy their audit purposes, as evidenced by the 
omission of critical data elements from their numerous requests. 

III-V Controls should be strengthened over payments to pharmacies 

As described to the auditors, payments are made via wire transfer to the pharmacy 
benefits manager, Caremark, on a bi-weekly basis, based upon a request faxed to us from 
Caremark. The biweekly payments are not individually reconciled, however; on a 
monthly basis, Caremark submits an electronic report of claims made by date of service 
and a monthly claims lag report showing the paid pharmacy claims by date incurred. The 
Director of Finance reviews and analyzes the payments to Caremark and reconciles the 
payments and the detailed electronic claims report received to the lag report and any 
differences are reviewed and adjusted on subsequent reports. Therefore, we do not agree 
with this finding, but will enhance these procedures where warranted. 
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Ill - VI Certain costs are paid for and paid to Chartered Family Health Center 
that are charged to healthcare costs without supporting documentation. 

Chartered is at a loss to determine what the auditors mean that "certain costs" are paid to 
CFHC without adequate documentation. One should note that, it is clear that the costs 
are documented because they actually saw them. What it appears that the auditors are 
trying to say is that Chartered cannot justify its capitation payments to the CFHC. 
Chartered provided a detailed explanation as to how it reached its full risk capitation 
payment to the CFHC. The auditors simply rejected the explanation without exploring 
any of the financial or operational components of the analysis. Instead, they simply 
compare the costs of the Health Center to those of a primary care practitioner and state 
that the $49.44 per member per month is unsupported when compared to the $21.50 paid 
to providers. The problem here as with other areas of the "Findings" is that the auditors 
never bothered to acquaint themselves with what the CFHC does by at least visiting the 
health center to see that it is nothing like an ordinary doctor's office. They never 
attempted to gain an understanding of the challenges facing a Medicaid population or 
what a provider has to do to meet those challenges. 



The capitation rate for the CFHC in 2005 was computed based upon the following chart: 



SERVICE CATEGORY 




PMPM 


Primary Health Care 


$ 


20.00 


Member Education Classes - Total of Six Classes 


$ 


4.86 


Fetal Alcohol Study 


$ 


2.92 


Membership Outreach 


$ 


2.92 


Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) 


$ 


2.80 


Laboratory Testing 


$ 


1.94 


Pre-Natal Education 


$ 


1.94 


Space and Overhead for Mental Health Program 


$ 


1.94 


HEDIS Encounters for All Members 


$ 


1.80 


WIC Program 


$ 


0.97 


Transportation Hub - Rapid Trans and Wellness Van 


$ 


0.97 


Urgent Care Administrative Services 


$ 


0.97 


Primary Care Practitioners/Behavioral Health Providers/Medical Specialists 


$ 


0.90 


Pharmacy Services 


s 


0.90 


Disease/Case Management Services 


$ 


0.90 


Substance Abuse Services 


$ 


0.45 


Diagnostic Testing (i.e. radiology) 


$ 


0.45 


Pregnancy Related services (prenatal, perinatal and postpartum care) 


$ 


0.45 


Diabetes Care Services 


$ 


0.45 


Behavioral Health and Social Service Counseling Services 


$ 


0.45 


Vision Services 


$ 


0.45 


TOTAL 


$ 


49.44 
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In pricing the capitation for the Center, Chartered must quantify the cost associated with 
each of the ten items listed and/or look for comparable pricing structures for clinics and 
other health centers that provide like services. Below is a scheduled with comparable 
pricing structures for Washington, DC and other metropolitan areas on in the country 
which shows that the CFHC's capitation rate is comparable to market rates. Please note 
that these price ranges are all for health centers that provide comprehensive health 
services to the medically underserved. 



Health Center Reimbursement 






















Range of PMPM Capitation 






Effective 


Cost Per 


Based on Cost/Visit with 3.5 to 




Region 


Date 


Visit 


4.5 Visits Per Member Per Year 


1 


Washington, DC Primary Care Avg. 


1/28/2006 


S 135.00 


$ 


39.38 


to 


$ 50.63 


2 


Austin, TXFQHCAvg. 


12/1/2005 


$ 16335 


$ 


47.64 


to 


S 61.26 


3 


Miami-Dade, FL FQHC Avg. 


10/1/2006 


S 136.19 


$ 


39.72 


to 


$ 51.07 


4 


EI Paso, TXFQHCAvg. 


12/1/2005 


$ 136.12 


$ 


39.70 


to 


S 51.05 


5 


Michigan FQHC Avg. 


1/1/2006 


$ 130.37 


$ 


38.02 


to 


$ 48.89 


6 


Central FL (Orlando Area) FQHC Avg. 


10/1/2006 


$ 123.87 


$ 


36.13 


to 


$ 46.45 


7 


Dallas, TX FQHC Avg. 


12/1/2005 


$ 114.74 


$ 


33.47 


to 


S 43.03 


8 


CMS Upper Payment Limit Avg. 


1/1/2006 


$ 112,96 


$ 


32.95 


to 


$ 42.36 


Average 


$ 


38.38 


to 


$ 49.34 



Furthermore, it should be understood that the Health Center is located in an area that is 
underserved by health care providers. It seeks to serve a population that faces a number 
of challenges in addition to their health disparities. It is important to maintain access for 
this population, which finds it very difficult to make and to keep appointments. 
Consequently, to ensure capacity is available when members seek to access care is 
critical to providing health care to our members. In addition, the Health Center has rather 
high medical malpractice insurance premiums that must be paid. 

It should also be noted, the Health Center and Chartered Health Plan are involved in a 
major malpractice lawsuit with a former physician-employee of the Health Center. The 
legal action seeks $60 Million Dollars in damages. This case involves the delivery of a 
baby at the defunct Columbia Hospital for Women that settled the Hospital's liability. 
The Health Center will bear the cost of the settlement of the malpractice case because the 
insurance company that would have paid for much of the litigation is now bankrupt. 
However, given the fact that Chartered Health Plan and the Health Center are the only 
viable entities remaining in this matter, the plaintiff and the attorney of the child are 
pursing this matter vigorously. These are factors why Chartered ceased its ownership of 
CFHC in 2002 and sold it to DCHSI with all its risks and exposure. At some point, this 
matter may well result in a large settlement just to avoid more legal expense, and as noted 
above, the Health Center will fund this settlement. It is also Chartered Health Plan's 
recognition of costly factors of this nature that go into the determination of the CFHC's 
full risk capitation payment from Chartered. 
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The central question here as before is whether the Medicaid program received fair value 
for these services. As noted above, the elements of fair value are (1) that the agency 
knew of the relationship and (2) that the rate charged to Chartered is at or below fair 
market value as demonstrated by the fact that the related party's rates are at or below 
charges for such services in the open market. Also, these rates were disclosed in 
Chartered's cost reports to MAA actuaries and was also disclosed in Chartered' s annual 
audited financial statements provided to MAA. Therefore, Chartered does not agree with 
the auditors' finding. 

in- VII The number of enrollees in sub-capitation arrangements with PCP differ 
from the number of enrollees in sub-capitation arrangements with other 

The auditors were provided the capitation reports, as requested, and because of their 
inexperience with the capitation process, we spent a substantial amount of time 
explaining the reports to them. Also, our Manager of Membership and Eligibility 
Verification spent a substantial amount of time reviewing and explaining the reports and 
the eligibility process with the auditors. Chartered staff also spent a significant amount 
of time explaining capitation and the managed care retro-eligibility processes to the 
auditors. 

In fact, the monthly membership number (as calculated on the last day of the month) and 
the total membership used for capitation payments are never the same in any Medicaid 
managed care setting. The reason for the difference is that, in the Medicaid program, the 
District makes member additions and deletions retroactively for 90 days. As a 
consequence, the number used for monthly capitation payments can be above or below 
total membership calculated on the last day of the month. In addition, the file containing 
the monthly membership number is typically received on or about the 26 th of the month. 
However, Chartered receives daily enrollments and disenrollments from the District. As 
a result, the monthly membership number changes daily and subsequent capitation 
payments are adjusted to reflect these retroactive enrollments and disenrollments. 

Therefore, because of these factors, Chartered does not agree with this fmding, but will 
review these processes and enhance the controls where warranted. 

Payroll and Human Resources 

III - VIII Improve controls over payroll and Human Resources Departments. 

The first bullet point maintains that Chartered has no system in place to verify the 
accuracy of information place into the human resources system on a regular basis. This is 
not correct . The information is reviewed a second time by the Payroll accountant who 
has to perform several calculations and verifies that pay rates and deductions are correct. 
In addition, the employee receives a pay stub that indicates his/her information. Also, on 
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an annual basis, KPMG tests Chartered' s payroll to make sure that there are no phantom 
employees and that pay rates are correct and documented. 

The second bullet indicates that Chartered has no policy and procedural manual that 
address how human resources tasks are to be performed. There is a manual that lays out 
Chartered 's expectations as well as rights and responsibilities. It does not delineate the 
precise steps that have to be taken, but does lay out the general parameters of what 
happens to employees when they are hired. There are written job descriptions that 
outline what employees are expected to do and this explains human resources 
responsibilities; therefore, employees are fully aware of what they have to do. In 
addition, the forms used by Chartered to recruit and hire are all assembled and the 
personnel loading process merely requires that the information on these forms be loaded 
into the ADP H/R system. 

The assertions in the third bullet represent what Chartered would contend is a rush to 
judgment by the auditor. The auditor was told in an interview that human resources 
personnel do not have access to the ADP payroll module and that the payroll accountant 
does not have access to HR Perspectives (the ADP HR module) . In testing this control, 
the auditor asked Makeba Washington in Human Resources to attempt to log onto the 
ADP payroll through the HR Perspectives module. Ms. Washington logged on to HR 
Perspectives. The auditor asked her to press an icon that she was unfamiliar with and 
found that it when to ADP-Payroll. The auditor assumed from this that this employee 
had access. This was not the case . Human Resources personnel cannot log on to ADP's 
payroll module from HR Perspectives and this can be easily verified. The auditors have 
been advised of this; nonetheless, they persist in this erroneous interpretation of the facts. 

With respect to the fourth bullet point while it is true that the payroll accountant submits 
data to ADP, our payroll processor, and also receives the checks from ADP, there are 
significant mitigating controls to ensure that the payroll is accurate and secure. 

The payroll accountant cannot create payees in the payroll system. As indicated above 
this can only be done only through ADP's HR Perspectives module managed by the 
human resources personnel. The payroll accountant does not have access to the HR 
Perspectives module and the human resources personnel do not have access to ADP 
Payroll module. No payroll can be established in the ADP Payroll module by a 
department head. We use Personnel Actions Request (PAR) forms initiated by the hiring 
department head and approved by an executive level officer, the Chief Financial Officer, 
or other management person, as required. The Human Resources Department sets up the 
new employee in the HR Perspectives, which interfaces with the ADP Payroll module, 
and the payroll accountant enters the withholding information (e.g., W-4 information). In 
addition, all new employees are required to attend new employees orientation sessions 
held once monthly. If a new he or she cannot attend, they are contacted. If they cannot 
be contacted, the appropriate investigation takes place. 

As a further control, all time sheets (prepared by exempt employees and certain non- 
exempt employees) and punch edits (for time clocks) are reviewed and approved by 
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department managers prior to submission to payroll. Payroll registers are reviewed by 
either the Director of Finance or the CFO upon receipt from ADP and the dollar amount 
of the payroll is compared to the previous pay periods. Any unusual discrepancy is 
investigated and resolved. The payroll accountant does not distribute the checks to the 
employees, but rather to the department managers. 

All employee changes, including new hires, raises, bonuses, terminations, etc., are 
documented on a Personnel Action Request (PR) form signed by various persons, 
including the department head, the CFO, and other management, as required. 

In response to the fifth bullet Chartered, CFO or the Director of Finance, as stated above, 
reviews the payroll registers and investigates any unusual fluctuations in pay from prior 
periods. Supervisors receive budget reports showing their payroll costs compared to 
budget on a monthly basis. They are required to notify management of any unexpected 
variations. 

In response to the sixth bullet. Management approves all wire transfers prior to 
submitting the request to the Chairman, who has wire transfer authority. This is not a 
weakness. It is, in fact, an added control over the safeguarding of cash assets. The 
signed wire transfer form is maintained by the Chairman's office; however, all wire 
transfers made are verified and tracked by the Finance Department in their normal cash 
control processes, including bank reconciliation. 

III-IX Improve documentation and support over cash disbursements 

❖ As explained to the auditors, these transactions were consulting and other 
expenses that were charged by journal entry, then adjusted and allocated 
back to the parent company. Chartered did not pay these expenses and 
they are not included in Chartered's financial statements. 

❖ The auditors did not ask us for 3 1 journal entry batch listings. Our records 
show that they asked for 55 items, including the following: 

■ 45 AP invoices 

■ 10 GL j ournal entries 

Chartered provided all applicable invoices and entries to the auditors. 

❖ As Chartered personnel explained to the auditors, approvals of check 
requests are required by an executive manager and could be on the check 
request, on the invoice or on a contract that is attached to the check 
request After further review, we found that all the check requests are 
properly approved. 

❖ The "expenses" referred to were actually accrued expenses and not 
actually cash disbursements; therefore, no checks were issued. 
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After further review of all the requested expenses, we could not determine 
which two expenses were not properly posted to the GL. All entries are 
posted to the GL. 

Chartered 's standard practice is to stamp invoices as paid. However, if 
one invoice was not stamped properly, the accounting system (ACCPAC) 
will not allow the invoice to be paid twice. This is clearly a valid and 
operating mitigating control. 
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DC Chartered Health Plan, Inc. 
Report of Review of Operating Expenses 

Findings: 

In the course of its response to the Report on Examination of the Effectiveness of Internal 
Controls over Financial Reporting, Chartered has addressed in some detail, the auditor 
contention that Chartered' s affiliated entity transactions where not at arms length. As 
such, there is no need to further expound on those issues here. Chartered would note, 
however, that these findings do not relate in any way to the engagement questions 
outlined on page 1 of this report. None of these findings addresses the issue of disparities 
in capitation payments between the MCOs with the total amount paid to health care 
providers. None of these findings address whether legitimate medical services are being 
charged to medical costs. The internal control issues with respect to reporting of claims 
and encounter data is fully addressed by Chartered. While citing the need to improve 
Chartered's ability to address fraud, the report misses significant aspects of Chartered's 
Compliance program and wrongly states that it has no ethics policy or whistleblower 
hotline when clearly it has both and has had them for years. It would appear that rather 
than address the areas of concern to the Council, the auditors have embarked upon an 
effort to determine how Chartered spends that portion of its at risk actuarially detennined 
capitation payment that is totally within its province. 

Furthermore, the approach utilized by the auditors to determine what constituted a 
potentially excessive expense was based solely upon the auditor's estimate of the fan- 
value, without regard to the analysis and other information sources made available by 
Chartered, resources available at MAA, resources available at the other MCOs, resources 
available from the marketplace, and other public resources from which health care can be 
obtained. Therefore, the findings of the $7,679,964 of related party expenses that the 
auditor "felt" appeared potentially excessive and unsupported is not accurate, 
unnecessarily subjective and fundamentally flawed, especially in light of the absence of 
any significant managed care organization experience within the auditor group. 
Chartered does not agree with this finding. 

With regard to the comments in the Legend footnotes, Chartered Health Plan Responses 
as follows: 

Response to (a) 

CFHC is a multi- specialty, freestanding clinic that provides services that are significantly 
more than provided by PCPs. CFHC's services are comparable to the services provided 
by Federally Qualified Health Centers (FQHC). While CFHC is not a FQHC, it serves 
many of the same functions and many more services to CHP members who frequent it. 
For example, according to the Rural Assistance Center of the Department of Health and 
Human Services FQHCs provide the following services: 
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"FQHCs must provide primary care services for all age groups. FQHCs must 
provide preventive healw services on site or by arrangement with another 
provider. Other requirements that must be provided directly by an FQHC or by 
arrangement with another provider include: dental services, mental health and 
substance abuse services, transportation services necessary for adequate patient 
care, hospital and specialty care." 

These services are comparable to the services provided at CFHC. 

It is well recognized that FQHC rates and PCP rates differ and that FQHC rates are 
substantially higher. For example, in a recent report from the Center for Health Program 
Development and Management, the data company for the Maryland Medicaid Program 
reports that the range of rates for FQHCs is $95.16 - $200.62 and, for the same period, 
the range for PCPs is $31.90 - $43.41. Effectively, rate comparisons of CFHC and PCPs 
are not appropriate because the scope of services is not comparable. 

To establish CFHC full risk capitation rates, CHP utilized comparative data for market 
rates of FQHCs in the surrounding area and in comparable cities and current financial 
exposure from the pending $60 million law suit. For example, to set the current rate of 
$49.44 PMPM, CHP reviewed the market rate for FQHCs in the surrounding area: 
Washington, DC and Maryland. It also compared FQHC in the surrounding area and the 
federal government, and also compared FQHC rates in other regions. A chart entitled 
"Health Center Reimbursement," which is found on page 14 provides an illustration of 
the respective per visit costs and capitation rates. In every instance, CFHC's rates 
compare favorably and reflect fair market value. Chartered also provided the auditors 
with a copy of the 2005 Medicaid Annual Report, which at page 23, provides the DC 
Medicaid payments on a per member per month basis. This report revealed that the 
District pays the FQHCs on a PMPM basis almost 4 times the amount Chartered pays 
CFHC. See also page 15 above. 

Response (b) 

Although Chartered includes the Health Education expenses in the Medical expense for 
accounting purposes, the cost of the program is paid from Chartered 's administrative 
expense and is not included in the medical cost component of Chartered capitation 
payment. It, therefore, falls out of the scope of this engagement. However, the payment 
was developed and provided to the CFHC so that they could deliver Health Education 
services to all of Chartered's members even those that are not assigned there for primary 
care because of the current location of CFHC to the last number of Chartered's members 
who reside in Wards 7 and 8. These rates were developed by Chartered using market rate 
comparisons. 

Response (c) 

As demonstrated to the auditors on several occasions and explained above in this 
response, the capitation rate paid to RapidTrans is reasonable and based on comparable 
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market rates for non-emergent Medicaid transportation. To determine rates for 
RapidTrans, Chartered assembled comparative market data for non-emergent Medicaid 
transportation. As part of that analysis, shared with the auditors, Chartered compared the 
District, Maryland, Virginia, Delaware and US rates for non-emergent Medicaid 
transportation for the year 2001, the most recent data available. That analysis revealed 
that the RapidTrans rate was also at or below rates from unrelated entities for similar 
services. Significantly, the RapidTrans rate is almost Y 2 the non-emergent transportation 
expense for the Medicaid population in the District on a PMPM basis during 2005. 

In addition, the comparison used by the auditors assumes that Chartered members could 
take taxi rides at an average cost of Si 9 per one-way trip. First many Chartered enrollees 
live in areas of the District that are not conducive to taxi service. In these areas, taxis do 
not come when called and are consistently reluctant to go to these areas when hailed. 
Second, as indicated above, Chartered members are challenged to get to pick-up points in 
a timely manner, and taxis would not wait or return to pick them up as RapidTrans does. 
Third, as indicated above, many members bring more children with them than can fit in a 
taxi safely and most taxis would not have enough child safety seats to meet the needs of 
our members and comply with District law. 

Response (d) 

At the outset, it should be understood that with respect to the contention that the 
Chairman of Chartered charged any time to the consulting activity performed by TCBA 
for Chartered, Chartered states that this is inaccurate and would request the source of this 
contention by the auditors. 

The primary concern here again is whether the transaction between Chartered and TCBA 
is an arm's length one. An arms length transaction is one in which the charge to the 
organization is in line with the charge for such services, facilities, or supplies in the open 
market and no more than the charges made under comparable circumstances. Note 5 (d) 
of the 2005 financial statements audited by KPMG states, "Chartered paid TCBA 
$238,827 during 2005 as a reimbursement for its actual labor costs plus overhead and 
general and administrative costs calculated at TCBA's approved federal government 
GSA overhead and general and administrative rates, without profit markup to TCBA ." 

Chartered provided the auditors with the General Services Administration (GSA) 
Schedule that was used to determine the market rate for consulting services like the 
services TCBA provided to Chartered. The GSA establishes a schedule for various 
services, including Management, Organizational and Business Improvement Services 
(MOBIS). The MOBIS reflects the rates the entire Federal government is willing to pay 
to obtain consulting services similar to the services provided by TCBA to Chartered. 
Since the entire federal government and most local governments are willing to accept the 
MOBIS rates, Chartered submit that such rates reflect appropriate rates for the open 
market An examination of the MOBIS schedule will reveal that the rate that was 
charged by TCBA is at or below the rates charged the federal government for the 
identical services. Consequently, appropriate verification of arms length procedures can 
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be confirmed by the use of the MOBIS schedule and the determination that TCBA's rates 
were at or below the market rates reflected in such schedule. These rates are also less 
than other managed consultants retained by Chartered whose fees are indicated elsewhere 
in this response. See page 6. 

Chartered Health Plan would also note that the quality of the services provided were 
evidence by the significantly improved audit results that the Alliance program received 
following the provision of these services by TCBA. The consultants resolved the 
enrollment problems that had been plaguing the Alliance program for several years. 
Reports of the work performed by TCBA were made available to the auditors. Therefore, 
we do not agree with their contention that the services were not performed. 

Response (e) 

As indicated above, the auditors saw no evidence that the lease agreement was an arms- 
length transaction because they did not ask for it from Chartered . Had they asked, 
Chartered would have provided them with what they were paying for their space in 2003 
at the time that they decided to move as well as the proposed much higher fair market 
value of space at other locations that was identified by CB Richard Ellis, Chartered 
Commercial Real Estate Broker and that was visited by Chartered' s management to 
determine suitability. This information remains available. Please see page 6 for a more 
detailed response. 

Response (f) 

Chartered Health Plan and DCHSI continued their management and consulting agreement 
through a Memorandum of Understanding (MOU) executed on April 15, 2003. A copy 
of the agreement was provided to the auditor. This MOU was superseded by the formal 
amendment of November 8, 2006, drafted by our attorney. In addition, Chartered 
provided the DCHSI Management Fee and Pass-Thru-Cost Reconciliation for the Year 
Ended December 31, 2005 to the auditors. To further document the $1.8 million 
expenditure, Chartered provided all of the invoices and supporting documentation. The 
service performed is explained in the time billing summary of the respective 
professionals. Some documents were identified as confidential, but were made available 
at the offices of Chartered for the auditors' review. They never requested to review these 
documents. 

It should also be noted that the consulting rates paid by Chartered to DCHSI were at or 
below fair market value and that Chartered received good and valuable services and the 
results generated is very evident of this fact. 

There is no (g). 

Response (h) 

No response required. 
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Response (i) 



This finding is not accurate. As we demonstrated to the auditors, Chartered has a 
reasonable and established method of allocating any cost for services rendered by 
Chartered to its affiliates. This process was documented and covered in a Memorandum 
of Understanding (MOU) dated January 23, 2003. 

Based on this MOU, in 2005, Chartered billed RapidTrans $45,169.48. Also, in 2005 
Chartered billed Chartered Family Health Center $73,335 for administrative and 
accounting functions, in accordance with Chartered' s formal methodology for allocating 
costs to affiliates. Moreover, the Human Resources budget includes addition items such 
as the cost for summer interns that are not charged to the affiliated entities. 

Response (j) 

As Chartered advised the auditors, there is no support for these expenses because they 
were charged back to DCHSI and therefore, these expenses were credited to Chartered 
and not included in the respective account balances. 

Response (k) 

With all due respect, Chartered disagrees with this assertion. This is another example of 
the auditor's lack of familiarity with managed care. Chartered has the highest number of 
HTV/AIDS members of all three managed care organizations (MCO), and as a good and 
responsible corporate citizen of the Washington, DC community, Chartered makes 
reasonable contributions to local non-profit organizations, particularly those who serve 
and represent our members. These contributions are made from Chartered's 
administrative costs. The specific non-profit organization cited by the auditors, 
Whitman- Walker Clinic, is the premier provider of services to individuals who have been 
diagnosed with HIV/ AIDS, many of whom are members of Chartered Health Plan. Had 
the Whitman- Walker Clinic closed its doors and its Max Robinson Clinic in Anacostia, 
Chartered's members would have to resort to more costly treatment or none at all. Such 
costs would directly, and negatively affect the medical costs of Chartered, the other 
MCOs and the District. 
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DC Chartered Health Plan, Inc. 
Response to Audit of Internal Controls 
Appendix A - Reportable Conditions Related to Information Technology 



The following represents our response the audit findings on internal controls related to information technology. We have not repeated 
the findings; however, in order to ensure coherence, we have shown the finding number and the related bullet. Where necessary and 
warranted, Chartered will review its controls and enhance them. 



Objective 


Response 


# 


Bullet 


1 


1-4 


The IS dept. is notified of a termination by the Human Resources Dept. The Human Resources dept. is responsible for 
collecting all equipment issued by the IS dept. The HR dept. is sent a copy of all signed documents that relate to cell 
phone, lap tops etc. at the time of distribution. 


2 




Chartered has worked extensively on the all aspects of the HIPAA regulations. To aid in the compliance of these 
regulations, Chartered considers all data in MHC to be PHI. Therefore, all employees sign confidentiality agreements at 
their time of hire. The IS dept grants security access to our MHC system based on their role and job function. Each 
request is approved by their supervisor prior to granting access. The systems security logs were provided to the 
auditors. 


3 


1 


In order to show that systems are periodically reviewed, we demonstrated the process and provided screen prints to 
Millco while they were on site. Chartered acknowledges that a formal log of these reviews is not kept and is working on 
updating the process to include an on-going log. 


3 


2 


All hard drives are removed from equipment at the time of disposal. All hard drives are kept locked down with minimal 
IS staff access. We are currently working on ways of destroying and disposing of hard drives. Chartered has considered 
the risk associated with this method and has made a conscious business decision to continue in this manner while 
researching a permanent method of disposal. If a proper risk analysis were completed, this would show minimal security 
risk. 


3 


3 


As explained during Millco' s on-site audit, upon initial login process, all users are told that password must be a 
minimum of 6 characters long, expire every 45 days and the password must be changed at least five times before it can 
be reused. Users are made aware of this at New Employee Orientation, as well as the first time they log on to their 
systems. 


3 


4 


Chartered has made a conscious business decision that, because the MHC system resides on the internal side of the 
firewall, logging into UNIX, UniVerse, and MHC is only accessible by gaining Network access. 



Page 25 



Objective 


Response 


# 


Bullet 


3 


5,6& 
7 


The termination of access to the Network is a priority for Chartered. Once access to the network is terminated, all 
access to internal databases is, in effect, also terminated. This was discussed extensively with the auditors and is 
deemed low risk by Chartered. 


3 


8i 


As explained during Millco's on-site audit, upon initial login process, all users are told that password must be a 
minimum of 6 characters long, expire every 45 days and the password must be changed at least five times before it can 
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be reused. Users are made aware ol this at New Employee Orientation, as well as the first time they log on to their 
systems. 


3 


8 ii 


Chartered has made a conscious business decision to set the account lock-out duration to 60 minutes. The 
recommended Windows setting for account lockout duration and password complexity do not have an effect on 
Chartered s Network security. 


3 


8 iii 


DC Chartered has made a conscious business decision to not enforce logoff when logon hours expire because many 
users run overnight processes. Forcing logoff would kill these processes and could be a detriment to Chartered's 
business practices. Instead of this practice and to ensure system security, Chartered does enforce a screen saver 
policy that requires authentication after 5 minutes of inactivity. 


3 


9 


The accounts for FaxServer and ExchSrv are used for Windows services and are not traditional log-ins. This was 
discusses with Millco in detail while on-site. The account for Fax UM is used by our UM department to receive faxes. 
The UM staff has access to the mailbox ONLY and do not know the password for the user. This account will never 
show as being logged in. This was explained to Millco in detail while on-site. 


3 


10 


As explained during Millco's on-site review, Oracle is not used as an application server. There is no data entered into 
Oracle; it is simply used for reporting purposes. Thus, activating an audit trail would be ineffective and would not show 
any unauthorized access. 


4 


1 


The auditors were given, while on-site, a policy and documentation demonstrating that the Windows systems (desktops, 
laptops, servers) are patched through Microsoft Windows Server Update Services, as needed/recommended. 

Chartered has made a conscious business decision to use Oracle for our data warehouse. Oracle is not supported as a 
traditional database because it is behind our firewall and requires a secure login into the Windows network gain access, 
mitigating the risk. 


4 


2 


DST Health Solutions (DST) provides information on patches and updates necessary to the UNIX platform and 
UniVerse database on which it MHC resides. Applying patches not recommended by DST can disable our Production 
Server and the software it supports. 
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Objective 


Response 


# 


Bullet 


6 


1 


Chartered discussed and provided extensive documentation to the Millco auditors while on-site detailing the 
implementation plan, test documents, and control change forms for identified problems during testing for the 
implementation tor the most recent version upgrade of MHC. Chartered does not own the source code so all process 
during this implementation are a joint effort between Chartered and the vendor, DST. Because we do not own the 
source code, we can not make any changes to the MHC system. In addition, DST Health Solutions (DST) performs all 
release updates and enhancements to their MHC software. Any updates that DC Chartered can perform are driven by 
requests from DST. 


6 


2 


i — 11 i 11* 1 a * T 1 '111 jj* ..1 1* . 1 ■ 1 • . 1 j ■ "1 • .1 1 ' i • .1." 

Chartered discussed extensively and provided documentation to the auditors while on-site, detailing the auditmg that is 
done on ALL PC's connected to the DC Chartered network. DC Chartered audits PC's for hardware as well as software. 
If unauthorized software is found it is immediately removed from the PC. DC Chartered agrees that although this 
process is done and no unauthorized software is supported that this process is not formally documented. The IS dept. 
will formally document this process. 


7 


1 


Although Oracle password controls are not fully implemented within Oracle, any security risk is mitigated by the fact 
that Oracle is behind a Firewall and you must login into the Windows network to access it. Chartered has made a 
conscious business decision to implement passwords in Oracle with minimum controls enforced due to the mitigated 
risk because of its network location. We are currently researching single sign on control for all our systems but until we 
purchase such a system, these controls would only confuse the user and not make this system any more secure. 

Also, password control cannot be enforced in Oracle because DC Chartered staff access the database through an ODBC 
connection. Changing passwords through ODBC connection on Oracle DOES NOT WORK. If a password is set to 
expire the user would not be able to change their passwords. This was discussed extensively with the auditors during 
their on-site review. 


7 


2 


All accounts are set to User and Temp table space because Users only have Select (query) access to Oracle. In order for 
users to query a table they MUST have access to the table space. The reasoning for individual table space would not 
apply in this scenario. This was discussed extensively with the auditors during their on-site review. 


7 


3 


DC Chartered is operating on HP-UX 1 li, which was and remains one of the most recent HP-UX releases, as approved 
by DST Health Solutions, during the most recent upgrade. 

Hewlett-Packard's HP-UX and Informix's/IBM's Uni Verse database run without problem. However, running in trusted 
mode has caused conflicts between the two. Trusted mode is being considered and will be implemented for MHC 
Version 20, if recommend by DST Health Solutions. 


7 


4 


Administering UNIX and UniVerse on the same server requires two root-level logins (root and uv). 
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Objective 


Response 


a 
tt 
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1 


J 
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7 


6 
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7 


7 


Passwords are enforced on both UNIX and Uni Verse. A user must have a login id and password for both UNIX and 
UniVerse, respectively, to access MHC. 


7 


8 


The 5 R commands that are noted were not discussed. 


7 


9 


The TFTP process that is noted cannot be located. Please specify. 


8 




The Senior Pick Programmer/UNIX System Administrator answe 
Information Systems. 

The job functions described and performed as the Senior Pick Pre 
separate for those utilized for UNIX System Administration funct 


rs directly to the Senior Director and Vice-President of 

grammer require passwords and logins that are 
ions. 


10 


1 


Chartered has contracted with a vendor to continue development < 


}f our draft disaster recovery plan. 


10 


2&3 


Chartered continually reviews all security policies and procedures 
In addition, we are audited annually by an outside firm for compl 
financial implications. All audits are thoroughly documented. 


and makes updates when deficiencies are identified, 
ance with security, as it relates to Chartered' s data and 


10 


4 


MHC is a nationally recognized claims processing software. We first implemented their software in 1 999 and have 
been using it successfully for years without any issues or concerns. We do not believe it is necessary, nor do we have 
the capability, to perform a certification and accreditation of the MHC application. Specifically, MHC is a DST Health 
Solutions product and the company and its software applications have been recognized as follows: 

■ 7 of "Top 1 Health Plans" rated MHC best for member satisfaction (NCQA) 

■ DST is one of the top 100 leading IT companies, Healthcare Informatics 

■ DST received the Pinnacle Award for Best Practices, Consumer-Directed Healthcare 

■ DST received the Frost and Sullivan Leadership of the Year Award for excellence in meeting customer needs, 
identifying new markets, introducing new products/services 
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1 


During the on-site review, we discussed the Business Impact Analysis that was completed in 2001. We supplied the 
auditors with several copies of the individual assessments that were completed. 


11 


2 


The testing of our backup tapes is documented in DC Chartered Health Plan's Disaster Recovery Plan. Also, DC 
Chartered has recalled tapes from our offsite storage and successfully restored data from the tapes on several occasions 
and has never run into a situation where a backup restore failed or we were unable to retrieve a necessary tape. 
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First Federal facilities were evaluated by DC Chartered and found to be properly protected against most natural 
disasters. However, with the ever changing environment, Chartered recognizes the current systems limitations and is in 
the process of evaluating other, more advanced back-up systems in an effort to secure an out of state location for our 
data. 


1 1 


4 


DC Chartered has installed a dry fire suppression system and is in the process of capping the wet pipe sprinkler system. 


11 


5 


The unavailability of Windows and Novell do not substantially impact the recovery of MHC. In order to access MHC 
an additional method to enter the network would need to be developed. However, our vendor, DST would be able to 
connect and assist in any way needed. 


1 1 
1 1 





We have identified and contracted with another vendor, Sungard, to assist us with a hot-site in case of the need for 
uibabier icLuvciy. iiieiciuie uicie is nu uecu lur a cuiiudLi wim ine iicdiui cenier ior uns iiccu. 
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First Federal facilities were evaluated by DC Chartered and found to be properly protected against most natural 
disasters. However, with the ever changing environment, Chartered recognizes the current systems limitations and is in 
ine process 01 evaluating ouier, more auvanceu uacK-up systems in an enort xo secure an out 01 siaie location ior our 
data 
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8 


The fire extinguishers in the computer room are operational. Chartered has contracted with a fire protection company to 
inspect and maintain all of Chartered' s fire suppression equipment, as required by DC law. Inspections are at maximum 
six months intervals. 
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June 8, 2007 

Mr. Robert T. Maruca 

Senior Deputy Director 

Department of Health 

Medical Assistance Administration 

Government of the District of Columbia 

Dear Mr. Maruca: 

We have reviewed D.C. Chartered Health Plan, Inc.'s response to our report on the examination of the 
effectiveness of internal controls over financial reporting and our report on the review of operating 
expenses of its contract with the District of Columbia Department of Health. It is our view that Chartered' s 
response failed to directly address the concerns cited in our report and its management fails to accept that 
our findings are legitimate. This response raises additional concerns inasmuch as management of 
Chartered can not begin to address the deficiencies cited until they accept responsibility for the deficiencies 
and agree to a corrective action plan. 

We continue to firmly stand by our report and have provided specific responses to Chartered' s responses to 
our report. Our responses are as follows: 

Material Weaknesses 

We cited that Chartered had material weaknesses in its internal control system. Chartered disagreed and 
cited the following reasons: 

1 . Our team is inexperienced in these type of engagements 

2. Chartered had been audited by KPMG, which did not cite any material weaknesses. 

3. All related party transactions were conducted at fair market value 

4. Chartered's contract with the District is a risk based contract and the concerns cited regarding 
administrative services are of no concern to the District. 

5. Chartered is a privately held company and only the owner should be concerned about transparency 
and disclosure of related party transactions. 

Our response is as follows: 

1. We have provided the District evidence of our qualifications to perform this engagement. 
Furthermore, the material weaknesses noted were not concerns specific to MCOs. The two major 
concerns cited dealt with unsupported related party transactions and weaknesses over its 
information systems. These are areas affecting every industry and have major concerns as areas of 
common abuse. 

2. Chartered's audit by KPMG was of a different scope and for a different purpose than our 
engagement KPMG was engaged by Chartered to express an opinion that the financial statements 
fairly presented Chartered's financial position and operating results in accordance with Generally 
Accepted Accounting Principals. The primary interested party in KPMG's audit is Chartered's 
owner. Therefore, KPMG's focus on materiality was most likely based on Chartered's reported 
income. Also, KPMG's testing of internal controls was much more limited than our testing. Our 
review focused on determining if Chartered's internal controls were adequate to ensure 
transparency and accuracy in its reports to the District. We feel that the reports to the District 
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lacked transparency and have the potential to be misleading by amounts that could materially 
influence the District's capitation negotiation process. Therefore, we continue to feel that the 
weaknesses cited are material. 

3. Chartered did not demonstrate that their related party transactions were at fair value. Our report 
cites clear examples where material amounts were charged to Chartered by affiliates in excess of 
amounts that could be supported. We have recently concluded our review of another MCO and 
compared its cost for the same type of services that Chartered acquired from related parties and 
noted that the other MCO was able to acquire the same services at a fraction of the cost paid by 
Chartered to its affiliate. 

4. It is partially true that Chartered' s contract with the District is a risk-based contract. Chartered 
does receive fixed capitations for its members from which it must provide medical coverage; 
however, the capitation rates that are negotiated are based on Chartered' s reported cost to provide 
medical coverage. If the reported cost of providing medical coverage is inflated, it will generally 
result in inflated capitation rates. 

5. Chartered' s response about it being a privately held company would be legitimate if it were not 
receiving public funds; however, Chartered received all of its operating revenues from the District 
For that reason and reasons cited above, the District has a vested interest in Chartered' s financial 
reporting. 

Transactions with Related Parties 

Chartered disagreed with our findings and cited the following reasons: 

1 . Transactions with related parties are at or below fair value. 

2. Chartered Family Health Center (CFHC) provides comprehensive services, over and above the 
services provided by other primary care providers. 

3. Chartered agreed to cover the cost of a $60 million litigation in which CFHC is the defendant 

4. The $1.8 million paid to Chartered' s parent was for consulting services rendered and 
reimbursement of debt service on a $3.5 million loan used for the acquisition of Chartered in May 
2000. 

5. Chartered prepared an analysis which revealed that the RapidTrans rates for transportation costs 
are at or below rates from unrelated entities for similar services. 

Our response is as follows: 

1. Same as our response to material weaknesses, above. 

2. The contract between Chartered and its primary care providers, including CFHC, specifies the 
required level of service to be provided. We noted no significant difference in the services 
required between CFHC's contract and the contract of other primary care providers who are paid 
less. In their response, Chartered states that the CFHC employs doctors, nurses, receptionists, 
appointment and medical record clerks, and management and administrative personnel. Most, if 
not all, the providers would have similar type of staffing. As we stated in the findings, the 
capitation rate paid to CFHC is more than double the rates paid to any other primary care provider, 
the highest of which is $2 1 .50 vs. $49.44 paid to CFHC. Chartered has indicated that CFHC costs 
are higher than other primary care providers, based in part on additional administrative and facility 
services provided above the minimum level, including specialty care such as ob/gyn, pediatric, and 
orthopedic. They also cited higher legal and administrative costs, even though the contractual 
requirement to provide service is the same for CFHC as any other primary care provider. The 
response also emphasized that CFHC provides primary and specialist services; however, it is our 
understanding that specialist services are billed on fee-for-service basis and should not be 
considered in the capitation rate. If specialist cost is in the capitation rate and also billed 
separately, Medicaid could be paying twice for the same service. Another reason offered by 
Chartered for the higher rate is CFHC costs includes costs relating to legal and adnnnistration, in 
particular, costs associated with a major legal proceeding. According to Chartered, these litigation 
costs were the responsibility of DC Healthcare Systems, Inc, the parent of Chartered, but allocated 
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in part, to Chartered. Furthermore, Chartered down streamed the liability of the lawsuit to CFHC. 
Such costs should be included in DC Healthcare Systems, Inc. legal and administrative cost. By 
including these legal/administrative costs directly in the cost of health care paid to CFHC, 
Chartered inappropriately includes these costs in its health care cost If these costs were ultimately 
determined to be legitimate costs of Chartered they should be classified as Iegayadministrative 
cost, not health care costs. If the administrative costs in question were counted in Chartered costs, 
the administrative percentage could be above the maximum allowed. 

3. See item two (2) directly above. 

4. Chartered' s contract with the parent company was not executed until after the year that the costs 
were actually incurred. Furthermore, the contract dictates that the payments would be based on 
invoices for services performed. We noted no invoices received and also noted that the amounts 
were paid in equal $150,000 monthly amounts. We noted no evidence of the services received. 
With respect to the reimbursement for debt services payments, we feel that such costs would be 
inappropriate for inclusion in capitation rate negotiation purposes. We continue to stand by this 
finding. 

5. In a memo received from Chartered management, it noted that Chartered based their transportation 
"value" on information from LogistiCare, a company that provides Medicaid non-emergency 
services in the District of Columbia (DC). Therefore, Chartered adjusted the rate paid to its related 
party provider, RapidTrans, to a capitated rate of $5.35 per member per month (pmpm). We 
reviewed another DC Medicaid managed care organization (MCO) and noted that their contract 
with LogistiCare to provide non-emergent transportation services is based on a capitated rate of 
only $1.70 pmpm. Both Chartered and the other MCO have a comparable total Medicaid 
membership population of approximately 40,000. For a twelve-month period, the reported 
transportation cost for Chartered was $2,940,569 (this includes an adjustment for the prior year of 
about $490,000). For a twelve-month period of the other MCO, the reported amount was 
$8 13,591 . This disparity is significant and should be justified by Chartered. 

Weakness with Control Environment 

Chartered disagrees with this comment and cites a number of conditions that they contend represents an 
adequate control environment; however, we contend that an adequate control environment would not have 
permitted the substantial unsupported related party transactions. We continue to stand by this comment. 

Inadequate Controls over IT Functions 

Chartered' s response fails to directly address our findings. We continue to firmly stand by this comment. 
SAS 70 Reports 

Chartered indicates in their response that they will begin to ask their service processors to provide SAS 70 
reports. We find that this response is adequate. 

Chartered fails to Fairly Allocate Administrative Costs to Affiliates 

Chartered' s response indicates that our finding is not accurate. During our fieldwork, Chartered did not 
provide any documentation regarding administrative cost allocation policy. We did receive a copy of the 
$45,000 invoice related to a finance cost allocation but that invoice did not include any details relating to 
the calculation of salary cost and did not identify corresponding percentages of the employees' salary. 

Our finding regarding administrative cost allocation relates to Human Resources (HR) and Payroll. During 
our fieldwork, we were told that 30-35% of HR/payroll hours are expended on affiliate activities for which 
we found no cost allocation. 

Subsequently, we did receive a copy of the cost allocation policy. Nonetheless, at the time of our fieldwork, 
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we did not see any otber administrative costs allocated to affiliates. Therefore, we were not able to 
determine if Chartered allocates cost to its affiliates as recorded in a policy. 

Minimize Fraud and Inaccurate Provider Reporting 

We understand that Chartered does have a Compliance Plan that was submitted and accepted by the 
District We also understand that Chartered utilizes certain Ingenix software solutions. 

Given the industry's high risk for waste, our finding relates to additional action that should be taken to 
prevent, minimize, and/or recover potential waste. For example, we had encouraged on-site reviews of 
providers billing records. In Chartered response to the findings, they have indicated that they now have a 
contract with a vendor to perform on-site audits. 

Nolmthstanding Chartered' s Compliance Plan and their level of audit before claims are adjudicated, in 
2006, Ingenix analyzed approximately three (3) years of claim data (11/06/2003-10/31/06) and reported to 
Chartered a number of findings with recommendations to recover potential incorrect payments thereby 
underscoring the need for additional fraud and abuse prevention measures. In fact, Chartered 
acknowledges this very point in the conclusion of their response to this finding. 

Document formal Procedures for Data Extraction 

Chartered 1 s response indicates that they disagree entirely with this finding. Our concerns relating to this 
finding were discussed at length with Chartered' s Internal Auditor and the personnel who had 
responsibility for data extraction. At the time that this concern was discussed, Chartered' s management 
was "at a loss" to explain why they were getting different results from the various data extractions of 
supposedly identical databases. At that time, they agreed that they needed to document standard procedures 
for this purpose. We continue to stand by this comment. 

Controls Should be Strengthened over Payments to Pharmacies 

Chartered acknowledges in its response that it will enhance procedures where warranted and therefore, we 
continue to recommend that Chartered agree the bi-weekly wire transfer amounts paid to the detailed 
monthly reports for all payments made. 

In addition, we recommend that Chartered confirm the rates used in payment processing to the agreed upon 
rates in the prevailing contract, and implement procedures to ensure that Caremark maintain adequate 
internal control over the drug benefit administrative process. 

Certain Costs are Paid for and Paid to CHFC without Support 

See comments above relating to costs paid to Chartered Health Family Center. Also, a depreciation expense 
item of $154,544 was included in the total reported capitation cost. We were informed that this was an 
expense applicable to CHFC; however, it is recorded in Chartered books as if it is an additional capitation 
cost Based on the detailed depreciation expense report, the largest item relates to Leasehold Improvement 
and Leasehold Improvement-labor. The original cost being depreciated is $2,102,556. The details relating 
to the original cost was not attached to the depreciation information. Chartered failed to address this item 
in its response. 

Number of Enrollees in Sub-capitation Arrangements Differs 

Chartered' s response indicates that they disagree with our finding but will review these processes and 
enhance the controls where warranted. 

We continue to recommend that Chartered confirm the number of enrollees in all sub-capitation 
arrangements. The number of members per month used for non-PCP sub capitation vendors should be the 
same within a given month for all vendors with the same basis of member eligibility. Within our sample 
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months, the number of members per month was different for some vendors. 

We inquired about the procedure and authorization for the monthly capitation payment and were referred to 
three (3) different departments without receiving satisfactory explanation. 

Improve Controls over Payroll and Human Resources Departments 

Chartered disagreed our comments and cited the following reasons which we have responded to below: 

1. Chartered agreed then subsequently disagreed, citing that a secondary review is completed by the 
Payroll Accountant 

During our review, we were informed that the Payroll Accountant is responsible for updating 
payroll related withholdings and deduction information. We noted no evidence of a secondary 
review performed by the Payroll Accountant. We continue to stand by this comment. 

2. Chartered disagreed, citing that Chartered' s HR policies and procedures are contained in its 
Employee Handbook. 

Our finding relates to specific procedures to be performed by HR personnel to ensure that the 
critical HR functions are completed accurately in the event of HR personnel absence. The 
Employee Handbook does not accomplish this function. We continue to stand by this comment. 

3. Chartered disagreed, citing we observed HR personnel access ADP Perspectives (HR information 
system) as opposed to ADP Payroll (Payroll processing system). 

We observed as the HR Specialist clicked on "start" on her Microsoft Windows Operating System, 
and then viewed all programs listed which included a folder of software programs related to ADP. 
Within the ADP folder there were several different software options that included ADP 
Perspectives and ADP Payroll. ADP Payroll was selected, a user login and password was entered, 
and access was granted. We continue to stand by this comment. 

4. Chartered disagreed, citing their mitigating control to prevent fraud or errors is payroll payees 
cannot be created in the payroll system by Payroll Accountant or by a Department Head. 

We requested a system generated user list for the payroll system that was not provided; therefore, 
we were unable to confirm who has access to payroll system. Additionally, based on number three 
(3) directly above, we question who has access to Chartered' s ADP related software systems. We 
continue to stand by this comment. 

5. Chartered disagreed, citing that payroll summaries are reviewed by the Director of Finance and the 
CFO reviews total payroll and payroll expenses for variances. 

Our finding relates to reviews completed by the Director of Finance or the CFO for every payroll 
period. Chartered's response does not identify how the Director of Finance or CFO reviews are 
documented. We continue to stand by this comment. 

6. Chartered disagreed, citing that signed payroll wire transfers are maintained by Chartered's 
Chairman and a copy of the unsigned wire request is maintained by Chartered. 

Chartered maintaining a copy of an unapproved wire request does not constitute complete records 
being maintained at a centralized location. We continue to stand by this comment. 
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Improve Controls over Cash Disbursements 

Chartered disagreed with our remaining comments and cited the following reasons which we have 
responded to below: 

1. Chartered did not pay the five (5) expenses in question and they are not included in Chartered' s 
Financial Statements. 

After discussion wife Chartered's management and review of supporting documentation, we no 
longer consider this a finding. 

2. The auditors did not ask for 3 1 journal entry batch listings noted as not received 

Our request was sent to the CFO on March 1, 2007. We continue to stand by this comment 

3. After fiirther review, Chartered found that all check requests are properly approved- 

During our review, we reviewed check requests and supporting invoices for proper approval. We 
continue to stand by this comment 

4. The "expenses" referred to were actually accrued expenses and not actually cash disbursements; 
therefore, no checks were issued. 

We agree that the expenses represent accruals; however, the accruals resulted in a related cash 
disbursement in the subsequent month for which no check was received We continue to stand by 
this comment. 

5. After further review, all entries were properly posted to the general ledger. 

We noted for one check request that the general ledger posting instructions per the check request 
did not agree to the actually posting per the general ledger. Fot a different expense, we noted a 
contribution was recorded as a capitations payable, as opposed to accounts payable. We continue 
to stand by this comment 

6. If an invoice is not stamped properly, the accounting system will not allow the invoice to be paid 



Due to the untimely receipt of our requests, we were not able to obtain evidence that Chartered's 
accounting system will reject payment due to duplicate invoice. We continue to stand by this 
comment. 



We hope this response adequately addresses any concerns that you may have with Chartered's response to 
our reports. 



twice. 



Sincerely, 




Jonn Milligan, CPA, Managing Parmer 
Milligan and Company, LLC 



